21 August 2019

FSC issues Circular Letter CL210819 on Cyber Risk Security Governance

From a cyber security risk governance perspective, the FSC will expect as a minimum from the Management Companies the following:
  • understanding of the cyber risks, vulnerabilities and impact associated in running their businesses, with supporting documentation;
  • putting into place appropriate policies and procedures duly approved by the board to mitigate the risks;
  • carrying out an annual cyber security risk assessment which is reported to the board;
  • conducting regular IT audit and addressing identified loopholes accordingly;
  • conducting penetration testing to ensure that their systems are not vulnerable or susceptible to cyber attacks;
  • putting in place appropriate contingency arrangements that they can be deployed in the event of a cyber attack, including but not limited, maintaining service levels for clients and informing relevant parties and authorities about the attack and its impact; and
  • running a comprehensive technology risk and cyber security training programme at all levels.

No comments: