Bank Negara Malaysia (BNM) this month issued a policy document on Risk Management in Technology (RMiT), requiring all financial institutions including licensed Islamic banks and Islamic digital banks as well as (re)Takaful operators and e-money license holders to implement robust risk management controls above the minimum regulatory standards.
Key highlights
- The 67-page policy document covers six general policy areas: governance, technology risk management, technology operations management, cybersecurity management, technology audit and internal awareness and training and three regulatory processes: notification of technology-related applications, consultation and notification related to cloud services and assessment and gap analysis
- The document includes additional guidance to strengthen financial institution’s cloud risk management capabilities
- It embodies a shift to a risk-based approach in cloud consultation and notification process
- It includes updated cross references including multi-factor authentication security control
- Board of financial institutions must designate a board-level committee to support it in providing oversight over technology-related matters
- Financial institutions are required to appoint a chief information security officer, by whatever name called, to be responsible for the technology risk management function, independent from day-to-day technology operations
- Financial institutions must establish an enterprise architecture framework that provides a holistic view of technology throughout their companies as well as establish clear risk management policies and practices for key phases of system development life cycle (SDLC)
- Financial institutions need to adopt strong cryptographic controls for protection of data and information
- Financial institutions shall host critical systems in a dedicated space intended for production data center usage and appoint an external service provider to conduct resilience and risk assessment for the data center
- Financial institutions need to enforce and monitor cash self-service terminals (SSTs) end-point protection such as installing whitelisting programs
- Financial institutions must develop a cyber resilience framework
- Financial institutions must provide adequate and continuous training for staff involved in technology operations, cybersecurity and risk management as well as adequate regular technology and cybersecurity awareness education for all staff
- Financial institutions need to consult BNM prior to the first-time adoption of public cloud for critical systems
- Financial institutions need to perform a gap analysis of existing practices in managing technology risk against requirements outlined in the RMiT policy document
- The RMiT policy document is effective from the 1st June 2023 except provision on SDLC, cash SSTs and key risks and control measures for cloud services