Bursa Malaysia And Stockbroking Industry Announce Cyber Resilience Enhancements To Strengthen Industry Integrity

Bursa Malaysia Berhad (“Bursa Malaysia” or the “Exchange”), in collaboration with Malaysia’s stockbroking industry, today announced a series of cyber resilience enhancements to strengthen the integrity of the stockbroking ecosystem. These enhancements are outlined in a recommendation paper developed as part of the industry’s collective response to the unauthorised trades incident in late April 2025 (“Recommendation Paper”).

The Recommendation Paper is the collective output of an industry working group formed in June 2025, comprising representatives from both bank-backed and non-bank Participating Organisations (“POs”), as well as cybersecurity experts.  

Chaired by Encik Julian M Hashim, Chief Regulatory Officer of Bursa Malaysia, the industry working group was tasked with assessing current industry cybersecurity practices to identify vulnerabilities, developing industry-wide standards for Information Technology (“IT”) risk management and incident response, as well as recommending regulatory and operational improvements.  

Dato’ Fad’l Mohamed, Chief Executive Officer of Bursa Malaysia, said, “Our priority is to protect investors and uphold the trust they place in our securities market. These enhancements represent the industry’s commitment to every investor that cybersecurity safeguards are taken seriously, and are of prime importance. By strengthening the cyber resilience of the stockbroking ecosystem, we are actively taking steps to fortify  the marketplace where investors can trade with confidence, knowing their investments are protected against cyber threats.”

Julian M Hashim added, “The Recommendation Paper reflects the industry’s promise to act collaboratively. The enhancements outlined are designed to be both actionable and scalable - ensuring that all brokers, regardless of size or complexity, can adopt them meaningfully.”

The finalised Recommendation Paper, issued to brokers today following an industry briefing session, has been reviewed by independent cybersecurity experts to ensure its robustness and alignment with best practices.   

Bursa Malaysia will adopt a two-pronged oversight approach to guide the implementation of the enhancements, focusing on:  

1. enhancing Bursa Malaysia’s IT Security Standards (“ITSS”) for brokers by incorporating the recommended cybersecurity and regulatory standards outlined in the Recommendation Paper, and
2. strengthening the Exchange’s oversight of Independent Software Vendors (“ISV”) which are Order Management Systems (“OMS”) providers.  

The recommendations are broadly aligned with the Securities Commission Malaysia’s Guidelines on Technology Risk Management (“GTRM”), and Bank Negara Malaysia’s Risk Management in Technology (“RMiT”) framework.

The Recommendation Paper aims to raise industry-wide cybersecurity standards and resilience by setting clear expectations for brokers, including the responsibility to exercise effective oversight over their third-party technology service providers – such as ISV that provide OMS - to ensure compliance with Bursa Malaysia’s requirements.

The enhancements are grouped into nine key pillars, forming a comprehensive framework for cybersecurity and regulatory controls. These include:

1. Security access controls: To ensure that access to systems, applications, and data is appropriately restricted based on user roles and responsibilities, thereby minimising unauthorised access and safeguarding sensitive information.
2. Threat detection and protection: To proactively identify, monitor, and respond to potential cybersecurity threats through the deployment of robust detection mechanisms and protective controls, thereby reducing the risk of system compromise and data breaches.
3. Patch management: To ensure timely identification, testing, and deployment of software patches and updates, reducing vulnerabilities and maintaining the security and stability of IT systems.
4. Infrastructure and operational resilience: To ensure the continuity, reliability, and robustness of IT infrastructure and operations by implementing resilient architecture, redundancy measures, and recovery capabilities that minimise downtime and disruption in the face of adverse events.
5. Recovery planning: To establish structured and tested recovery procedures that enable timely restoration of critical systems and data should there be a disruption, ensuring minimal impact on business operations and maintaining service continuity.
6. Oversight of technology service providers: To ensure that third-party technology service providers adhere to the brokers’ and regulators’ cybersecurity and operational standards, thereby minimising external risks and maintaining accountability across outsourced functions.
7. Incident management: To establish a comprehensive framework for identifying, reporting, managing, and resolving incident in a timely and effective manner, thereby minimising impact and supporting continuous improvement through post-incident reviews. The incidents could include cybersecurity breaches, system outages, data loss and other operational disruptions.
8. Training and awareness: To foster a security-aware culture by providing ongoing education and targeted training to both internal personnel and external stakeholders, equipping them with the knowledge to effectively recognise or detect, thwart, and respond to IT and cybersecurity risks effectively.
9. Dedicated cybersecurity role establishment: To ensure that cybersecurity responsibilities are formally assigned to qualified personnel, whether through internal appointments and/or external engagements, providing focused oversight, strategic direction, and operational execution of cybersecurity initiatives across the brokers’ organisations.

Implementation timeline 

Given their critical role in operational resilience and incident response preparedness, standards relating to people, processes, and governance, specifically under the Recovery Planning and Incident Management pillars are subject to full compliance within three months of the issuance of the Recommendation Paper.

For pillars that involve system changes or infrastructure upgrades, full compliance is targeted by 31 December 2026. This timeline allows brokers to align internal resources, infrastructure, and operational readiness with the prescribed controls, build capacity, and integrate these standards into existing governance and operational frameworks.

For queries regarding the Recommendation Paper, brokers can email rswg-secretariat@bursamalaysia.com.