Category Archives: RMIT

June 27, 2023 · 6:18 pm

BNM RMIT 2023 Part 2

PART B  POLICY REQUIREMENTS 

8           Governance 

Responsibilities of the Board of Directors 

S 8.1  The board must establish and approve the technology risk appetite which is

aligned with the financial institution’s risk appetite statement. In doing so, the

board must approve the corresponding risk tolerances for technology -related

events and ensure key performance indicators and forward- looking risk

indicator s are in place to monitor the financial institution’s technology risk

against its approved risk tolerance. The board must ensure senior

management provides regular updates on the status of these indicators

together with sufficiently detailed information on key technology risks and

critical technology operations to facilitate strategic decision- making. 

S 8.2  The board must ensure and oversee the adequacy of the financial institution’s

IT and cybersecurity strategic plans covering a period of no less than three years. These plans shall address the financial institution’s requirements on infrastructure, control measures to mitigate IT and cyber risk and financial and non-financial resources, which are commensurate with the complexity of the

financial institu tion’s operations and changes in the risk profile as well as the

business environment. These plans shall be periodically reviewed, at least once every three years. 

S 8.3  The board shall be responsible to oversee the effective implementation of a

sound and robust technology risk management framework (TRMF) and cyber resilience framework (CRF), as required to be developed under paragraphs 9.1 and 11.2, for the financial institution to ensure the continuity of operations and delivery of financial services. The TRMF is a framework to safeguard the financial institution’s information infrastructure, systems and data, whilst the CRF is a framework for ensuring the financial institution’s cyber resilience. The board must ensure that the financial institution’s TRMF and CRF remain relevant on an ongoing basis. The board must also periodically review and affirm the TRMF and CRF, at least once every three years to guide the financial institution’s management of technology risks.  

S 8.4  The board must designate a board -level committee2 which shall be

responsible for supporting the board in providing oversight over technology –

related matters. Among other things, the committee shall review the

technology -related frameworks including the requirements spelt out in

paragraphs 8.1 through 8.3, for the board’s approval, and ensure that risk

assessments undertaken in relation to material technology applications

submitted to the Bank are robust and comprehensive. 

2 The board of a financial  institution may either designate an existing board committee or establish a

separate committee for this purpose. Where such a committee is separate from the Board Risk

Committee (BRC), there must be appropriate interface between this committee and the BRC on technology risk -related matters to ensure effective oversight of all risks at the enterprise level.  Risk Management in Technology                       9 of 67

Issued on: 1  June 2023  G 8.5  To promote effective technology discussions at the boar d level, the

composition of the board and the designated board- level committee should

include at least a member with technology experience and competencies. 

S 8.6  Given the rapidly evolving cyber threat landscape, the board shall allocate

sufficient time to discuss cyber  risks and related issues, including the strategic

and reputational risks associated with a cyber -incident. This shall be supported

by input from external experts as appropriate. The board must also ensure its

continuous eng agement in cybersecurity preparedness, education and

training. 

S 8.7  The board audit committee (BAC) is responsible for ensuring the effectiveness

of the internal technology audit function. This includes ensuring the adequate competence of the audit staff to perform technology audits. The BAC shall

review and ensure appropriate audit scope, procedures and frequency of technology audits. The BAC must also ensure effective oversight over the prompt closure of corrective actions to address technology control g aps.

 Responsibilities of the senior management 

S 8.8  A financial institution’s senior management must translate the board -approved

TRMF and CRF into specific policies and procedures that are consistent with the approved risk appetite and risk tolerance and supported by effective reporting and escalation procedures. 

S 8.9  The senior management must establish a cross -functional committee to

provide guidance on the financial institution’s technology plans and operations. The m embers  of the committe e must include senior management from both

technology functions and major business units. The committee’s

responsibilities shall include the following: 

(a) oversee the formulation and effective implementation of the strategic technology plan and associated technology policies and procedures; 

(b) provide timely updates to the board on key technology matters

3; and

(c) approve any deviation from technology -related policies after having

carefully considered a robust assessment of related risks. Material

deviations shall be reported to the board. 

S 8.10  Senior management must ensure the adequate allocation of resources to

maintain robust technology systems and appropriately skilled and competent staff to support the effective management of technology risk. 

S 8.11  For large financial institutions, senior management must embed appropriate

oversight arrangements within the technology function to support the

enterprise- wide oversight of technology risk. These arrangements must

provide for designated staff responsible  for the identification, assessment and

3 Key technology matters include updates on critical systems’ performance, significant IT and cyber –

incidents, management of technology obsolescence risk, status of patch deployment activities for critical

technology infrastructure, proposals for and progress of strategic technology projects, performance of critical technology outsourcing activities and utilisation of the technology  budget.  Risk Management in Technology                       10  of 67

Issued on: 1 June 2023  mitigation of technology risks who do not engage in day -to-day technology

operations. 

S 8.12  For the purpose of paragraph 8.11 and all other requirements applicable to

large financial institutions under this policy document, each financial institution

shall conduct a self -assessment on whether it is a large financial institution in

accordance with the definition in paragraph 5.2. The self -assessment shall

take into account –

(a) the complexity of the financial institution’s operations, having particular regard to the interconnectedness of its operations with other financial institutions, customers and counterparties that are driven by technology; 

(b) the number and size of the financial institution’s significant business lines together with its market share

4 (e.g. in terms of assets, liabilities, revenue

and premiums); 

(c) the number of subsidiaries, branches and agents; and 

(d) other business considerations that could give rise to technology risk. 

S 8.13  Notwithstanding the self -assessment in paragraph 8.12, the Bank may

designate a financial institution as a large financial institution and such

financial institutions shall comply with all requirements in this policy document

applicable to a large financia l institution. 

9          Technology Risk Management 

S 9.1  A financial institution must ensure that the TRMF is an integral part of the

financial institution’s enterprise risk management framework (ERM). 

S 9.2  The TRMF must include the following: 

(a) clear definition of technology risk; 

(b) clear responsibilities assigned for the management of technology risk at different levels and across functions, with appropriate governance and reporting arrangements; 

(c) the identification of technology risks to which the financial institution is

exposed, including risks from the adoption of new or emerging

technology; 

(d) risk classification of all information assets/systems based on its criticality; 

(e) risk measurement and assessment approaches and methodologies; 

(f) risk controls and mitigations; and 

(g) continuous monitoring to timely detect and address any material risks. 

S 9.3  A financial institution must establish an independent enterprise -wide

technology risk management function which is responsible for —

4 Size is an indicator of the potential systemic impact that any failure or breach of the financial institution’s

IT systems may have on the broader financial system. When determining the significance of its size, the

financial institution shall c onsider the extent to which the broader market segment may be unable to

access relevant financial services in the event of a disruption to its systems. It should also consider the

extent to which the operations of other institutions may be disrupted due to a reliance on services

provided by the financial institution that may not be immediately substitutable.  Risk Management in Technology                       11  of 67

Issued on: 1 June 2023  (a) implementing the TRMF and CRF; 

(b) advising on critical technology projects and ensuring critical issues that

may have an impact on the financial institution’s risk tolerance are

adequately deliberated or escalated in a timely manner; and 

(c) providing independent  views to the board and senior management on

third party assessments5, where necessary. 

S 9.4  A financial institution must designate a Chief Information Security Officer

(CISO), by whatever name called, to be responsible for the technology risk

management function of the financial institution. The financial institution must ensure that the CISO has sufficient authority, independence and resources

6.

The CISO shall —

(a) be independent from day -to-day technology operations; 

(b) keep apprised of current and emerging technology risks which could

potentially affect the financial institution’s risk profile; and 

(c) be appropriately certified. 

S 9.5  The CISO is responsible for ensuring the financial institution’s information

assets and technologies are adequately protected, which includes — 

(a) formulating appropriate policies for the effective implementation of TRMF and CRF; 

(b) enforcing compliance with the se policies, frameworks and other

technology -related regulatory requirements; and 

(c) advising senior management on technology risk and security matters, including developments in the financial institution’s technology security

risk profile in relation to its business and operations. 

10        Technology Operations Management 

 Technology Project Management  

S 10.1  A financial institution must establish appropriate governance requirements

commensurate with the risk and complexity7 of technology projects

undertaken. This shall include project oversight roles and responsibilities,

authority and reporting structures, and risk assessments throughout the

project life cycle. 

S 10.2  The risk assessments shall identify and address the key risks arising from the

implementation of technology projects. These include the risks that could

5 Relevant third party assessments may include the Data Centre Risk Assessment (DCRA), Network

Resilience and Risk Assessment (NRA) and independent assurance for introduction of new or enhanced

digital services. 

6 A financial institution’s CISO may take guidance from the expertise of a group- level CISO, in or outside

of Malaysia, and may also hold other roles and responsibilities. Such designated CISO shall be

accountable for and serve as the point of contact with the Bank on the financial institution’s technology –

related matters, including managing entity -specific risks, supporting prompt incident response and

reporting to the financial institution’s board. 

7 For example, large- scale integration projects or those involving critical systems should be subject to

more stringent project governance requirements such as more frequent reporting to the board and senior management, more experienced project managers and  sponsors, more frequent milestone reviews and

independent quality assurance at major project approval stages.  Risk Management in Technology                       12  of 67

Issued on: 1  June 2023  threaten successful project implementation and the risks that a project failure

will lead to a broader impact on the financial institution’s operational

capabilities. At a minimum, due regard shall be given to the following area s:

(a) the adequacy and competency of resources including those of the vendor

to effectively implement the project. This shall also tak e into consideration

the number, size and duration of significant technology projects already

undertaken concurrently by the financial institution; 

(b) the complexity of systems to be implemented such as the use of unproven

or unfamiliar technology and the cor responding risks of integrating the

new technology into existing systems, managing multiple vendor –

proprietary technologies, large- scale data migration or cleansing efforts

and extensive system customisation ;

(c) the adequacy and configuration of security cont rols throughout the project

life cycle to mitigate cybersecurity breaches or exposure of confidential

data; 

(d) the comprehensiveness of the user requirement specifications to mitigate

risks from extensive changes in project scope or deficiencies in meeting

business needs; 

(e) the robustness of system and user testing strategies to reduce risks of undiscovered system faults and functionality errors; 

(f) the appropriateness of system deployment and fallback strategies to

mitigate risks from prolonged system stability issues; and 

(g) the adequacy of disaster recovery operational readiness following the

implementation of new or enhanced systems .

S 10.3  The board and senior management must receive and review timely reports on

the management of these risks on an ongoing basis throughout the

implementation of significant projects. 

Leave a comment

Filed under RMIT

June 27, 2023 · 6:00 pm

BNM RMIT 2023 Part 1

Risk Management in Technology (RMiT) 

Applicable to: 

1. Licensed banks , including licensed digital banks 

2. Licensed investment banks 

3. Licensed Islamic banks , including licensed Islamic digital banks 

4. Licensed insurers including professional reinsurers  

5. Licensed takaful operators including professional retakaful operators  

6. Prescribed development financial institutions 

7. Approved issuer s of electronic money 

8. Operator of a designated payment system 

Issued on: 01 June  2023                            BNM/RH/ PD 028- 98

Risk Management in Technology                       2 of 67

Issued on: 1  June 2023  TABLE OF CONTENTS 

1           Introduction  ………………………………………………………………………………………….. 3

2           Applicability  …………………………………………………………………………………………. 3

3           Legal provision  …………………………………………………………………………………….. 3

4           Effective date  ……………………………………………………………………………………….. 4

5           Interpretation  ……………………………………………………………………………………….. 4

6           Related legal instruments and policy documents  ……………………………………. 6

7           Policy documents and circulars superseded ………………………………………….. 6

PART B  POLICY REQUIREMENTS  ……………………………………………………………………… 8

8           Governance  ………………………………………………………………………………………….. 8

9           Technology Risk Management  …………………………………………………………….. 10

10         Technology Operations Management  …………………………………………………… 11

11         Cybersecurity Management  …………………………………………………………………. 25

12         Technology Audit  ………………………………………………………………………………..  31

13         Internal Awareness and Tra ining  ………………………………………………………….. 31

PART C  REGULATORY PROCESS  …………………………………………………………………… 32

14         Notification for Technology- Related Applications  …………………………………. 32

15         Consultation and Notification related to Cloud Services  ………………………… 34

16         Assessment and Gap Analysis  …………………………………………………………….. 35

APPENDICES  ……………………………………………………………………………………………….. 36

Appendix 1    Storage and Transportation of Sensitive Data in Removable Media ………. 36

Appendix 2     Control Measures on Self -service Terminals (SST)  …………………………. 37

Appendix 3     Control Measures on Internet Banking  …………………………………………. 40

Appendix 4     Control Measures on Mobile Application and Devices  ………………………. 41

Appendix 5     Control Measures on Cybersecurity  …………………………………………….. 42

Appendix 6     Positive List for Enhancements to Electronic Banking, Internet  

                    Insurance and Internet Takaful Services  ……………………………………….. 43

Appendix 7     Risk Assessment Report  …………………………………………………………… 47

Appendix 8     Format of Confirmation  ………………………………………………………………….. 49

Appendix 9     Supervisory  Expectations on External Party Assurance  ……………………. 50

Appendix 10   Key Risks and Control Measures for Cloud Services  ………………… ….…52 Risk Management in Technology                       3 of 67

Issued on: 1 June 2023  PART A  OVERVIEW 

1           Introduction

1.1 Technology risk refers to risks emanating from the use of information

technology (IT) and the Internet. These risks arise from failures or breaches of IT systems, applications, platforms or infrastructure, which could result in financial loss, disruptions in financial services or operations, or reputational harm to a financial institution. 

1.2 With the more prevalent use of technology in the provision of financial services, there is a need for financial institutions to strengthen their technology resilience against operational disruptions to maintain confidence in the financial system. The growing sophistication of cyber threats also calls for the increased vigilance and capability of financial institutions to respond to emerging threats. Critically, this should ensure the continuous availability of essential financial services to customers and adequate protection of customer data. 

 1.3 This policy document sets out the Bank’s requirements with regard to financial institutions’ management of technology risk. In complying with these requirements, a financial institution shall have regard to the size and complexity of its operations. Accordingly, larger and more complex financial institutions are expect ed to demonstrate risk management practices and

controls that are commensurate with the increased technology risk exposure of the institution. In addition, all financial institutions shall observe minimum prescribed standards in this policy document to prevent the exploitation of

weak links in interconnected networks and systems that may cause detriment

to other financial institutions and the wider financial system. The control measures set out in Appendices 1 to 5 and Appendix 10 serve as a guide for sound practices in defined areas. Financial institutions should be prepared to

explain alternative risk management practices that depart from the control measures outlined in the Appendices and demonstrate their effectiveness in addressing the financial institution’s technology risk exposure. 

2           Applicability 

 2.1  This policy document is applicable to all financial institutions as defined in 

 paragraph 5.2.

3          Legal provision

 3.1       The requirements in this policy document are specified pursuant to—

(a) Sections 47(1) and 143(2) of the Financial Services Act 2013 (FSA); 

(b) Sections 57(1) and 155(2) of the Islamic Financial Services Act 2013 (IFSA); and 

(c) Sections 41(1) and 116(1) of the Development Financial Institutions Act 2002 (DFIA).  Risk Management in Technology                       4 of 67

Issued on: 1 June 2023  3.2       The guidance in this policy document are issued pursuant to section 266 of the 

FSA, section 277 of the IFSA and section 126 of the DFIA. 

4           Effective date 

4.1    This policy document comes into effect on 1 June  2023 except for  paragraph

10.50, paragraph 15  and Appendix 10 which come into effect on the

corresponding dates in respect of the relevant financial institutions  other than a

licensed digital bank or licensed Islamic digital bank as set out  below:   

(a) 1 June  2024 in respect of financial institutions which have already

adopted public cloud for critical systems prior to the issuance date of this

policy document . However, i f any of the terms of the financial institution’s 

existing contracts with the cloud service provider s are not in accordance

with the provisions of Appendix 10, the financial institution s may make 

the necessary  amendments  or mod ifications  during the next  renew al of

the relevant contracts  with the cloud service providers  i.e., after the

effective  date of the relevant provisions  in this policy document  in respect

of the financial institution; and

(b) 1 June  2024 in respect of  financial institutions which have not adopted

public cloud for critical systems prior to the issuance date of this policy

document .

4.2 This policy document comes into effect on 1 June 2023 in respect of a     

licensed digital bank or licensed Islamic digital bank. 

5          Interpretation 

 5.1 The terms and expressions used in this policy document shall have the same meanings assigned to them in the FSA, IFSA or DFIA, as the case may be, unless otherwise defined in this policy document. 

  5.2 For purposes of this policy document – 

“S” denotes a standard, an obligation, a requirement, specification, direction,

condition and any interpretative, supplemental and transitional provisions that must be complied with. Non- compliance may result in enforcement action; 

 “G” denotes guidance whic h may consist of statements or information

intended to promote common understanding and advice or recommendations

that are encouraged to be adopted; 

  “board”  refers to the board of directors of a financial institution, including any

committee carrying out  any of the responsibilities of the board under this policy

document; 

 “critical system”  refers to any application system that supports the provision

of critical banking, insurance or payment services, where failure of the system has the potential to significantly impair the financial institution’s provision of financial services to customers or counterparties, business operations, Risk Management in Technology                       5 of 67

Issued on: 1  June 2023  financial position, reputation, or compliance with applicable laws and

regulatory requirements;   “customer and counterparty information”  refers to any information relating

to the affairs or, in particular, the account, of any customer or counterparty of a financial institution in whatever form; 

 “cyber resilience” refers to the ability of people, processes, IT systems, applicatio ns, platforms or infrastructures to withstand adverse cyber events; 

 “cyber risk” refers to threats or vulnerabilities emanating from the connectivity of internal technology infrastructure to external networks or the Internet; 

 “digital services”  refers to the provision of payment, banking, Islamic

banking, insurance or takaful services delivered to customers via electronic channels and devices including Internet and mobile devices, self -service and

point -of-sale terminals; 

 “financial institution” refers to – 

(a) a licensed person under the FSA and the IFSA (excluding branches of a foreign professional reinsurer and a professional retakaful operator); 

(b) a prescribed institution  under the DFIA; 

(c) an eligible issuer of e- money as defined in the policy document on

Interoperable Credit Transfer Framework

1; and 

(d) an operator of a designated payment system; 

“large financial institution”  refers to –

(a) a financial institution with one or more business lines that are significant in terms of market share in the relevant industry; or 

(b) a financial institution with a large network of offices within or outside Malaysia through operations of branches and subsidiaries; 

“material technology projects” refers to projects which involve critical systems, the delivery of essen tial services to customers or counterparties, or

compliance with regulatory requirements; 

 “OTP or one -time password”  refers to an alphanumeric or numeric code

represented by a minimum of 6 characters or digits which is valid only for

single use; 

“public cloud”  refers to a fully virtualised environment in which a service

provider makes resources such as platforms, applications or storage available to the public over the Internet via a logically separated multi -tenant

architecture; 

1 For ease of reference, an “eligible issuer of e- money” is defined as an approved issuer of electronic

money with substantial market presence based on the criteria set out in Appendix 1 of the policy

document on Interoperable Credit Transfer Framework.  Risk Management in Technology                       6 of 67

Issued on: 1 June 2023  “production data  centre” refers to any facility which hosts active critical

production application systems irrespective of location; 

 “recovery data centre” refers to a facility that a financial institution plans to

activate to recover and restore its IT applications and operations upon failure of its production data centre irrespective of location; 

 “senior management” refers to the Chief Executive Officer ( CEO) and senior

officers; 

 “third party service provider” refers to an internal group affiliate or external entity providing technology -related functions or services that involve the

transmission, processing, storage or handling of confidential informatio n

pertaining to the financial institution or its customers. This includes cloud computing software, platform and infrastructure service providers ;

 “cloud service provider” refers to  a third party service provider who provides

cloud services  to financial  institutions. 

6          Related legal instruments and policy documents 

 6.1       This policy document must be read together with any relevant legal instruments,

policy documents , guidelines etc. issued by the Bank,  including any

amendments and reissuances thereafter,  in particular — 

(a) Policy Document on Risk Governance  issued on 1 March 2013  ;

(b) Policy Document on Compliance issued on 10 Ma y 2016 ;

(c) Policy Document on Outsourcing issued on 23  October 2019 ;

(d) Policy Document on Operational Risk  issued on 10 May 2016;

(e) Policy Document on Operational Risk Reporting Requirement –

Operational Risk Integrated Online Network (ORION)  issued on  25

February 2021;

(f) Policy Document on Introduction of New Products  issued on  7 March 

2014;

(g) Policy Document on Interoperable Credit Transfer Framework  issued on 

23 December 2019 ;

(h) Policy Document on Business Continuity Management  issued on 19

December 2022 ;

(i)   Provisions under paragraphs 21, 22 and 26 of the Guidelines on the

Provision of Electronic Banking (e- banking) Services by Financial

Institutions  issued on 30 March 2010 ;

(j) Guidelines on Data Management and MIS Framework  issued on  23

October 20 08; and

(k) Guidelines on Data Management and MIS Framework for Development

Financial Institutions  issued on 5 November 2012.

7          Policy documents and circulars superseded 

 7.1  This policy document supersedes the following circulars, guidelines and policy documents:  Risk Management in Technology                       7 of 67

Issued on: 1  June 2023  (a) Guidelines on Management of IT Environment (GPIS 1) issued in May

2004; 

(b) Circular on Prior Notification by Licensed Institutions for External System Interfaces issued on 22 November 2010; 

(c) Preparedness against Distributed Denial of Service Attack issued on 17 October 2011; 

(d) Managing Inherent Risk of Internet Banking Kiosks issued on 5 December 2011; 

(e) Circular on Managing Risks of Malware Attacks on Automated Teller Machine (ATM) issued on 3 October 2014; 

(f) Managing Cyber Risk Circular issued on 31 July 2015; 

(g) Managing Cyber Risks on Remote Desktop Protocol Circular issued on 20 July 2016; 

(h) Revocation of Prior Notification by Licensed Institutions for External System Interfaces issued on 1 June 2017; 

(i) Guidelines on the Provision of Electronic Banking (e- banking) Services

by Financial Institutions, except for the provisions under paragraphs 21, 22 and 26 issued on 18 Nov 2019 ;

(j) Circular on Internet Takaful  issued on 1 0 Jan 2019; 

(k) Letter to CEO dated 31 October 2017 entitled “Immediate Measures for Managing identification of Counterfeit Malaysian Currency Notes at Deposit -Accepting Self Service Terminals (SST)”; 

(l) Letter to CEO dated 7 November 2017 entitled “Guidelines on the

Provision of Electronic Banking (e- banking) Services by Financial

Institutions (“Guidelines”) –  Specification Pursuant to the Financial

Services Act 2013 (“FSA”), Islamic Financial Services Act 2013 (“IFSA”) and Development Fina ncial Institutions Act 2002 (“DFIA”)”; 

(m) Letter to CEO dated 10 November 2017 entitled “Storage and Transportation of Sensitive Data in Removable Media”; 

(n) Letter to CEO dated 17 May 2018 entitled “Guidelines on Internet Insurance (Consolidated) (“Guidelines”)  and Circular on Internet Takaful

(“the Circular’) –  Specification Pursuant to the Financial Services Act

2013 (“FSA”) and Islamic Financial Services Act 2013 (“IFSA”)”; 

(o) Letter to CEO dated 11 December 2018 entitled “Leveraging on cloud services and uplif tment of mobile banking condition”; 

(p) Guidelines on Internet Insurance ( Consolidated)  issued on 10 January

2019;  

(q) Letter to CEO dated 18 November 2019 entitled “Guidelines on the Provision of Electronic Banking (e- banking ) Services by Financial

Institutions, Guidelines on Internet Insurance (Consolidated), Circular on Internet Takaful –  Specification Pursuant to the Financial Services Act

2013 (“FSA”), Islamic Financial Services Act 2013 (“IFSA”) and the Development Financial Institutions Act 2002 (“DFIA”)”; and

(r) Policy Document on Risk Management in Technology (RMiT) issued on 1 January 2020 except for paragraphs  10.49, 10.50, 10.51 and 10.52

which shall remain applicable until 31  May 2024  in respect of financial

institutions described in paragraph 4.1(a) and (b) .  Risk Management in Technology                       8 of 67

Leave a comment

Filed under Malaysian Golf Courses, RMIT