CRA-5.8.4
The management is responsible for:
(a) Establishing and implementing cyber security policies and procedures that commensurate with the level of cyber security risk exposure and its impact on the licensee . These policies and procedures must take into account the following:
(i) The sensitivity and confidentiality of data which the licensee maintains;
(ii) Vulnerabilities of the licensee's information systems and operating environment across the licensee ; and
(iii) The existing and emerging cyber security threats .
(b) ensuring that employees, agents (where relevant) and third party service providers are aware and understand the cyber security risk policies and procedures, the possible impact of various cyber security threats and their respective roles in managing such threats;
(c) recommending to the board on appropriate strategies and measures to manage cyber security risk , including making necessary changes to existing policies and procedures, as appropriate; and
(d) reporting to the board of any cyber security breaches and periodically update the board on emerging cyber security threats and their potential impact on the entity.
Amended: April 2023
Amended: January 2020
Added: April 2019
Amended: January 2020
Added: April 2019