PART B POLICY REQUIREMENTS
8 Governance
Responsibilities of the Board of Directors
S 8.1 The board must establish and approve the technology risk appetite which is
aligned with the financial institution’s risk appetite statement. In doing so, the
board must approve the corresponding risk tolerances for technology -related
events and ensure key performance indicators and forward- looking risk
indicator s are in place to monitor the financial institution’s technology risk
against its approved risk tolerance. The board must ensure senior
management provides regular updates on the status of these indicators
together with sufficiently detailed information on key technology risks and
critical technology operations to facilitate strategic decision- making.
S 8.2 The board must ensure and oversee the adequacy of the financial institution’s
IT and cybersecurity strategic plans covering a period of no less than three years. These plans shall address the financial institution’s requirements on infrastructure, control measures to mitigate IT and cyber risk and financial and non-financial resources, which are commensurate with the complexity of the
financial institu tion’s operations and changes in the risk profile as well as the
business environment. These plans shall be periodically reviewed, at least once every three years.
S 8.3 The board shall be responsible to oversee the effective implementation of a
sound and robust technology risk management framework (TRMF) and cyber resilience framework (CRF), as required to be developed under paragraphs 9.1 and 11.2, for the financial institution to ensure the continuity of operations and delivery of financial services. The TRMF is a framework to safeguard the financial institution’s information infrastructure, systems and data, whilst the CRF is a framework for ensuring the financial institution’s cyber resilience. The board must ensure that the financial institution’s TRMF and CRF remain relevant on an ongoing basis. The board must also periodically review and affirm the TRMF and CRF, at least once every three years to guide the financial institution’s management of technology risks.
S 8.4 The board must designate a board -level committee2 which shall be
responsible for supporting the board in providing oversight over technology –
related matters. Among other things, the committee shall review the
technology -related frameworks including the requirements spelt out in
paragraphs 8.1 through 8.3, for the board’s approval, and ensure that risk
assessments undertaken in relation to material technology applications
submitted to the Bank are robust and comprehensive.
2 The board of a financial institution may either designate an existing board committee or establish a
separate committee for this purpose. Where such a committee is separate from the Board Risk
Committee (BRC), there must be appropriate interface between this committee and the BRC on technology risk -related matters to ensure effective oversight of all risks at the enterprise level. Risk Management in Technology 9 of 67
Issued on: 1 June 2023 G 8.5 To promote effective technology discussions at the boar d level, the
composition of the board and the designated board- level committee should
include at least a member with technology experience and competencies.
S 8.6 Given the rapidly evolving cyber threat landscape, the board shall allocate
sufficient time to discuss cyber risks and related issues, including the strategic
and reputational risks associated with a cyber -incident. This shall be supported
by input from external experts as appropriate. The board must also ensure its
continuous eng agement in cybersecurity preparedness, education and
training.
S 8.7 The board audit committee (BAC) is responsible for ensuring the effectiveness
of the internal technology audit function. This includes ensuring the adequate competence of the audit staff to perform technology audits. The BAC shall
review and ensure appropriate audit scope, procedures and frequency of technology audits. The BAC must also ensure effective oversight over the prompt closure of corrective actions to address technology control g aps.
Responsibilities of the senior management
S 8.8 A financial institution’s senior management must translate the board -approved
TRMF and CRF into specific policies and procedures that are consistent with the approved risk appetite and risk tolerance and supported by effective reporting and escalation procedures.
S 8.9 The senior management must establish a cross -functional committee to
provide guidance on the financial institution’s technology plans and operations. The m embers of the committe e must include senior management from both
technology functions and major business units. The committee’s
responsibilities shall include the following:
(a) oversee the formulation and effective implementation of the strategic technology plan and associated technology policies and procedures;
(b) provide timely updates to the board on key technology matters
3; and
(c) approve any deviation from technology -related policies after having
carefully considered a robust assessment of related risks. Material
deviations shall be reported to the board.
S 8.10 Senior management must ensure the adequate allocation of resources to
maintain robust technology systems and appropriately skilled and competent staff to support the effective management of technology risk.
S 8.11 For large financial institutions, senior management must embed appropriate
oversight arrangements within the technology function to support the
enterprise- wide oversight of technology risk. These arrangements must
provide for designated staff responsible for the identification, assessment and
3 Key technology matters include updates on critical systems’ performance, significant IT and cyber –
incidents, management of technology obsolescence risk, status of patch deployment activities for critical
technology infrastructure, proposals for and progress of strategic technology projects, performance of critical technology outsourcing activities and utilisation of the technology budget. Risk Management in Technology 10 of 67
Issued on: 1 June 2023 mitigation of technology risks who do not engage in day -to-day technology
operations.
S 8.12 For the purpose of paragraph 8.11 and all other requirements applicable to
large financial institutions under this policy document, each financial institution
shall conduct a self -assessment on whether it is a large financial institution in
accordance with the definition in paragraph 5.2. The self -assessment shall
take into account –
(a) the complexity of the financial institution’s operations, having particular regard to the interconnectedness of its operations with other financial institutions, customers and counterparties that are driven by technology;
(b) the number and size of the financial institution’s significant business lines together with its market share
4 (e.g. in terms of assets, liabilities, revenue
and premiums);
(c) the number of subsidiaries, branches and agents; and
(d) other business considerations that could give rise to technology risk.
S 8.13 Notwithstanding the self -assessment in paragraph 8.12, the Bank may
designate a financial institution as a large financial institution and such
financial institutions shall comply with all requirements in this policy document
applicable to a large financia l institution.
9 Technology Risk Management
S 9.1 A financial institution must ensure that the TRMF is an integral part of the
financial institution’s enterprise risk management framework (ERM).
S 9.2 The TRMF must include the following:
(a) clear definition of technology risk;
(b) clear responsibilities assigned for the management of technology risk at different levels and across functions, with appropriate governance and reporting arrangements;
(c) the identification of technology risks to which the financial institution is
exposed, including risks from the adoption of new or emerging
technology;
(d) risk classification of all information assets/systems based on its criticality;
(e) risk measurement and assessment approaches and methodologies;
(f) risk controls and mitigations; and
(g) continuous monitoring to timely detect and address any material risks.
S 9.3 A financial institution must establish an independent enterprise -wide
technology risk management function which is responsible for —
4 Size is an indicator of the potential systemic impact that any failure or breach of the financial institution’s
IT systems may have on the broader financial system. When determining the significance of its size, the
financial institution shall c onsider the extent to which the broader market segment may be unable to
access relevant financial services in the event of a disruption to its systems. It should also consider the
extent to which the operations of other institutions may be disrupted due to a reliance on services
provided by the financial institution that may not be immediately substitutable. Risk Management in Technology 11 of 67
Issued on: 1 June 2023 (a) implementing the TRMF and CRF;
(b) advising on critical technology projects and ensuring critical issues that
may have an impact on the financial institution’s risk tolerance are
adequately deliberated or escalated in a timely manner; and
(c) providing independent views to the board and senior management on
third party assessments5, where necessary.
S 9.4 A financial institution must designate a Chief Information Security Officer
(CISO), by whatever name called, to be responsible for the technology risk
management function of the financial institution. The financial institution must ensure that the CISO has sufficient authority, independence and resources
6.
The CISO shall —
(a) be independent from day -to-day technology operations;
(b) keep apprised of current and emerging technology risks which could
potentially affect the financial institution’s risk profile; and
(c) be appropriately certified.
S 9.5 The CISO is responsible for ensuring the financial institution’s information
assets and technologies are adequately protected, which includes —
(a) formulating appropriate policies for the effective implementation of TRMF and CRF;
(b) enforcing compliance with the se policies, frameworks and other
technology -related regulatory requirements; and
(c) advising senior management on technology risk and security matters, including developments in the financial institution’s technology security
risk profile in relation to its business and operations.
10 Technology Operations Management
Technology Project Management
S 10.1 A financial institution must establish appropriate governance requirements
commensurate with the risk and complexity7 of technology projects
undertaken. This shall include project oversight roles and responsibilities,
authority and reporting structures, and risk assessments throughout the
project life cycle.
S 10.2 The risk assessments shall identify and address the key risks arising from the
implementation of technology projects. These include the risks that could
5 Relevant third party assessments may include the Data Centre Risk Assessment (DCRA), Network
Resilience and Risk Assessment (NRA) and independent assurance for introduction of new or enhanced
digital services.
6 A financial institution’s CISO may take guidance from the expertise of a group- level CISO, in or outside
of Malaysia, and may also hold other roles and responsibilities. Such designated CISO shall be
accountable for and serve as the point of contact with the Bank on the financial institution’s technology –
related matters, including managing entity -specific risks, supporting prompt incident response and
reporting to the financial institution’s board.
7 For example, large- scale integration projects or those involving critical systems should be subject to
more stringent project governance requirements such as more frequent reporting to the board and senior management, more experienced project managers and sponsors, more frequent milestone reviews and
independent quality assurance at major project approval stages. Risk Management in Technology 12 of 67
Issued on: 1 June 2023 threaten successful project implementation and the risks that a project failure
will lead to a broader impact on the financial institution’s operational
capabilities. At a minimum, due regard shall be given to the following area s:
(a) the adequacy and competency of resources including those of the vendor
to effectively implement the project. This shall also tak e into consideration
the number, size and duration of significant technology projects already
undertaken concurrently by the financial institution;
(b) the complexity of systems to be implemented such as the use of unproven
or unfamiliar technology and the cor responding risks of integrating the
new technology into existing systems, managing multiple vendor –
proprietary technologies, large- scale data migration or cleansing efforts
and extensive system customisation ;
(c) the adequacy and configuration of security cont rols throughout the project
life cycle to mitigate cybersecurity breaches or exposure of confidential
data;
(d) the comprehensiveness of the user requirement specifications to mitigate
risks from extensive changes in project scope or deficiencies in meeting
business needs;
(e) the robustness of system and user testing strategies to reduce risks of undiscovered system faults and functionality errors;
(f) the appropriateness of system deployment and fallback strategies to
mitigate risks from prolonged system stability issues; and
(g) the adequacy of disaster recovery operational readiness following the
implementation of new or enhanced systems .
S 10.3 The board and senior management must receive and review timely reports on
the management of these risks on an ongoing basis throughout the
implementation of significant projects.