Custom print

CRA-5.8.5

Past version: Effective from 01 Jan 2020 to 31 Mar 2023
To view other versions open the versions tab on the right

Licensees must implement a written cyber security risk policy setting forth the licensee's Board approved policies and related procedures that are approved by senior management, for the protection of its electronic systems and clients data stored on those systems, which must be reviewed and approved by the licensee's board of directors at least annually. The cyber security policy, among others, must address the following areas:

(a) Clear description of the risk tolerance in relation to cyber security risk that is acceptable to the licensee such as, occurrence and severity of cyber security breaches, the maximum service downtime, recovery time objectives, minimum level of system and services availability, potential negative media publicity, potential regulatory and financial impact or a combination of other measures;
(b) Strategy and measures to manage cyber security risk encompassing prevention, detection and recovery from a cyber security breach;
(c) Roles, responsibilities and lines of accountabilities of the board, the board committees, person responsible and accountable for effective management of cyber security risk and key personnel involved in functions relating to the management of cyber security risk (such as information technology and security, business units and operations, risk management, business continuity management and internal audit);
(d) Processes and procedures for the identification, detection, assessment, prioritisation, containment, response to, and escalation of cyber security breaches for decision-making;
(e) Processes and procedures for the management of outsourcing, system development and maintenance arrangements with third-party service providers, including requirements for such third-party service providers to comply with the licensee's cyber security risk policy;
(f) Communication procedures that will be activated by the licensee in the event of a cyber security breach, which include reporting procedures, information to be reported, communication channels, list of internal and external stakeholders and communication timeline; and
(g) Other key elements of the information security and cyber security risk management including the following:
i. information security;
ii. data governance and classification;
iii. access controls;
iv. business continuity and disaster recovery planning and resources;
v. capacity and performance planning;
vi. systems operations and availability concerns;
vii. systems and network security;
viii. systems and application development and quality assurance;
ix. physical security and environmental controls;
x. client data privacy;
xi. vendor and third-party service provider management;
xii. monitoring and implementing changes to core protocols not directly controlled by the licensee, as applicable;
xiii. incident response; and
xiv. System audit.
Amended: January 2020
Added: April 2019