Given the increasing reliance of Financial Institutions (FIs) on technology and online systems and the increasing threat of cyber attacks, it is timely that the Bank Negara Malaysia (BNM) issued, on 4 September 2018, a set of minimum standards on technology risk and cybersecurity management by FIs in Malaysia - the Risk Management in Technology policy document (RMiT).
The RMiT has been issued as an exposure draft which it is intended will come into force on 1 June 2019 and will apply to the following categories of FIs in Malaysia - all licensed banks and a number of other licensed financial institutions including: insurers, takaful operators and prescribed development financial institutions. If the RMiT is finalized as proposed there will be some, although not complete, alignment by the BNM with the Monetary Authority of Singapore (MAS) guidelines on managing technology risk.
The key requirements proposed by the RMiT include:
Board and Senior Management Responsibilities
Similar to the MAS Technology Guidelines, the board of directors of FIs (“Board”) will have overall responsibility and oversight for the implementation of a robust technology risk management framework. The Board is required, amongst other obligations, to put in place a technology risk management framework (i.e. a framework for safeguarding the FI's information infrastructure, systems and data) ("TRMF") and a cyber resilience framework (i.e. a framework for ensuring the FI's financial resilience) ("CRF"). The senior management of FIs are tasked with implementing the TRMF and CRF through specific policies and procedures. Stricter requirements are imposed on large FIs under the RMiT Exposure Draft.
Chief Information Security Officer
The RMiT Exposure Draft mandates FIs to designate a Chief Information Security Officer who responsibilities will include ensuring information assets and technologies are adequately protected and enforcing compliance with the TRMF and CRF.
Given the importance of data centres to the operations of an FI, the RMiT Exposure Draft includes a requirement on FIs to ensure that their production data centres meet international standards (such as having multiple paths for power as well as cooling systems in place). Minimum technical requirements must also be put in place where FIs host their production data centres on third-party facilities.
There is also greater clarity on the use of cloud services. Save for certain critical technology functions and confidential information which cannot be hosted on a public cloud, the RMiT Exposure Draft does not prohibit the use of cloud.
Outsourcing to Third-Parties
Similar to the MAS Technology Guidelines, the RMiT Exposure Draft requires comprehensive due diligence to be conducted on third-party service providers before critical technology functions and systems can be outsourced. The outsourcing arrangements will also need to be recorded in service level agreements and incorporate certain minimum requirements. For licensed banks and insurers, additional obligations are encapsulated in the outsourcing policy document issued by BNM.
The issue of the RMiT reflects the growing sentiment among financial regulators in the region that FIs will need to bolster their cyber defences to greater protect customer data. MAS recently issued a consultation paper (Notice on Cyber Hygiene dated 6 September 2018) which seeks to prescribe certain cyber security standards as baseline hygience standards for cyber security and the RMiT follows this theme.
Given these developments we advise:
FIs to immediately take the opportunity to review existing systems, frameworks and processes. This will include revising any existing cybersecurity policies to align with the RMiT and MAS guidelines.
Review without delay their talent pool who can undertake the necessary work, given the worldwide shortage of suitably qualified cyber security expertise.
Contributors: Brian Chia & Serene Kan