Back Custom print Link Text Only Rich Text Print

  • Roles and Responsibilities of the Board

    • CRA-5.8.2

      The board must provide oversight and accord sufficient priority and resources to manage cyber security risk, as part of the licensee's overall risk management framework.

      Amended: January 2020
      Added: April 2019

    • CRA-5.8.3

      In discharging its oversight functions, the board must:

      (a) ensure that the licensee's strategy, policy and risk management approach relating to cyber security are presented for the board's deliberation and approval;
      (b) ensure that the approved cyber security risk policies and procedures are implemented by the management;
      (c) monitor the effectiveness of the implementation of the licensee's cyber security risk policies and procedures and ensure that such policies and procedures are periodically reviewed, improved and updated, where required. This may include setting performance metrics or indicators, as appropriate, to assess the effectiveness of the implementation of cyber security risk policies and procedures;
      (d) ensure that adequate resources are allocated to manage cyber security including appointing a qualified person as Chief Information Security Officer ("CISO") with appropriate authority to implement the cyber security strategy. The CISO is the person responsible and accountable for the effective management of cyber security;
      (e) [This Subparagraph was deleted in April 2023];
      (f) ensure that the impact of cyber security risk is adequately assessed when undertaking new activities, including but not limited to any new products, investment decision, merger and acquisition, adoption of new technology and outsourcing arrangements; and
      (g) ensure that the board keeps itself updated and is aware of new or emerging trends of cyber security threats, and understand the potential impact of such threats to the licensee.
      (h) Ensure that the management continues to promote awareness on cyber resilience at all levels within the entity;
      (i) Ensure that the impact of cyber security risk is adequately assessed when undertaking new activities, including but not limited to any new products, investments decision, merger and acquisition, adoption of new technology and outsourcing arrangements; and
      (j) Ensure that the board keeps itself updated and is aware of new or emerging trends of cyber security threats and understand the potential impact of such threats to the licensee.
      Amended: April 2023
      Amended: January 2020
      Added: April 2019