SFC sets out data management expectation

The SFC’s latest circular outlines its expectations for licensed corporations’ data risk management practices, in light of its recent thematic review.

The report provides information, from a thematic review, on industry practices and emphasises areas for improvement. Applicable to all licenced corporations (LCs), it sets out expected standards on data risk governance framework, controls and monitoring for the data lifecycle and use of third-party service providers.

According to the SFC, LCs should have:

  • an effective risk governance framework
  • defined management responsibilities
  • structured protocols to mitigate the risk of operational disruptions, reputational or financial losses arising from inadequate data management practices.

LCs should also implement controls and monitoring processes to mitigate data risks arising from data leakage and loss, poor data quality and any unauthorised access to data. The SFC emphasises the importance of managing the data lifecycle which includes data collection; classification; usage retention; transfer and disposal; and the use of third-party service providers.

From previous circulars either specifically on or touching upon cybersecurity, IT and data management, and the thematic review giving data risk management the spotlight, it’s clear that data risk management is increasingly becoming an area of focus for the regulator.

How we can help

We can help you understand the regulator’s expected standards, perform a gap analysis on your existing data risk management system and controls and assist you to close any gaps identified. Our specialist team can review and enhance your procedures to meet the relevant requirements and expectations by conducting ad hoc reviews depending on your specific needs.