CRA-5.8.3
Past version: Effective from 01 Jan 2020 to 31 Mar 2023
To view other versions open the versions tab on the right
In discharging its oversight functions, the board must:
(a) ensure that the licensee's policies relating to cyber security are presented for the board's deliberation and approval;
(b) ensure that the approved cyber security risk policies and procedures are implemented by the management;
(c) monitor the effectiveness of the implementation of the licensee's cyber security risk policies and ensure that such policies and procedures are periodically reviewed and improved, where required. This may include setting performance metrics or indicators, as appropriate to assess the effectiveness of the implementation of cyber security risk policies and procedures;
(d) ensure that adequate resources are allocated to manage cyber security including appointing a qualified person as Chief Information Security Officer ("CISO"). The CISO is the person responsible and accountable for the effective management of cyber security;
(e) ensure that the management continues to promote awareness on cyber resilience at all levels within the entity;
(f) ensure that the impact of cyber security risk is adequately assessed when undertaking new activities, including but not limited to any new products, investments decision, merger and acquisition, adoption of new technology and outsourcing arrangements; and
(g) ensure that the board keeps itself updated and is aware of new or emerging trends of cyber security threats , and understand the potential impact of such threats to the licensee .
Amended: January 2020
Added: April 2019
Added: April 2019