A torrent of technology-driven innovation in financial markets and services has reshaped how markets are structured; how companies access and deploy capital; how investors respond and react to information and
how customers receive and use financial services in their new innovative form. Faster response to rapid technological advancement and shifting market dynamics require fresh thinking as to how regulation can best foster the responsible development of this digital industry. Similarly, as an international financial marketplace, Labuan IBFC is no exception to a more agile and iterative rulemaking process. The Authority has been promoting digital innovation for business solutions that are tailored to current market needs, whilst ensuring businesses are conducted in a conducive and safe operating environment.

Regulatory enhancement for digital businesses

Current digital transformation megatrends are fast changing the way financial institutions operate. These require rapid regulatory responses that are appropriate to the nature and complexity of the financial institutions' digital and virtual operations. The Authority recognises that no single regulatory model fits all, and divergent regulatory frameworks in a complex, fast-moving landscape can add complexity, create uncertainty and dampen innovation. Against this backdrop, the Authority developed the appropriate prudential policy measures to safeguard the Labuan financial institutions (LFIs) from the cyber vulnerabilities and prepare the market to embrace digital transformation in the new norm operating landscape. The measures were aimed at:

(i) enhancing business contingency planning to minimise material consequences arising from any major             operational disruptions; and
(ii) strengthening cyber resilience for digital operations to ensure operational agility and efficiency.

Enhancing market practices for business contingency and cyber resilience

As part of initiatives to ensure that LFIs maintain operational resilience and effectively manage the emerging cyber risks and other related vulnerabilities arising from digital transformation, the Authority had embarked on regulatory policy enhancements as depicted in the diagram below.

1110994a.jpg

The following are the key policy enhancements that are being undertaken by the Authority:

(i) Guiding Principles on Business Continuity Management which provided principle-based requirements for LFIs to:

  • maintain a sound and effective business continuity management (BCM) with board and senior management oversight;
  • assess and mitigate risks from major disruptions, concentration of critical business functions and outsourcing arrangements as part of its BCM;
  • adopt recovery strategies that reflect the magnitude of the potential disruption risks to the LFI's critical business operation;
  • develop the IT disaster recovery plan for critical business functions and related technology infrastructure to provide assurance to relevant internal and external stakeholders of LFI's preparedness in the event of a major disruption;
  • conduct a continuous organisation-wide awareness and testing for business continuity and resumption plans;
  • develop an effective communication plan to address the reputational risks; and
  • undertake periodic review and maintenance of approaches and strategies for business continuity to assess the LFI's operating environment and business circumstances.

(ii) Digital Governance Framework that is intended to inculcate effective management of cyber risks by requiring the LFIs to:

  • ensure that its digital governance and cyber risk management is overseen and approved by the board and senior management;
  • maintain enterprise-wide strategies to preserve data confidentiality, systemsecurity and resilience in a systematic and consistent manner;
  • implement robust security controls that are matched with the risk and complexity of its digital services on continuous basis;
  • effect obligations of the external service provider for the outsourced IT systems and digital services in the service legal agreement; and
  • conduct awareness programme and participate in trainings for emerging cyber risks and digital-related issues to mitigate cyber threats and vulnerabilities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.