Malaysia's central bank has launched a public consultation on its plans for risk management in the financial sector, including for payments and e-money firms.
Bank Negara Malaysia (BNM) is seeking feedback on a new set of guidelines aiming to enhance cyber resilience and technology risk management within the nation’s financial sector.
The "Risk Management in Technology" (RMiT) exposure draft, released on November 7, outlines stringent new requirements for financial institutions to safeguard against evolving cyber threats, aiming to ensure the security and stability of Malaysia's financial systems.
The proposed rules, which are open for feedback until January 31, 2025, will apply to a wide range of financial institutions, including banks, insurers, e-money issuers, payment system operators and remittance service providers.
Once finalised, the policy is expected to take effect in 2025, with different timelines for specific institution types.
The central bank’s draft emphasises building resilience against rising cyber threats and operational disruptions, a concern fuelled by global trends in cybercrime and the increased complexity of technology systems in financial services.
Board-level issues
The policy requires boards of directors to take an active role in overseeing cybersecurity measures, mandating each institution to set clear cyber risk tolerances and designate board-level committees to manage technology risks.
“Given the rapidly evolving cyber threat landscape, the board shall allocate sufficient time to discuss cyber risks and related issues, including the strategic, reputational and liquidity risks associated with extreme or adverse cyber-incident,” the consultation suggests, adding that this needs to be supported by input from external experts as appropriate.
“The board must also ensure its continuous engagements in cybersecurity preparedness, education and training.”
Vigilance and vulnerabilities
The regulator has also said institutions need to adopt a "zero-trust" approach and defence strategies, maintaining vigilance through real-time monitoring, red team exercises and crowdsourced security testing.
This means financial institutions will need to implement systems to detect threats early and conduct crisis management drills annually.
Financial institutions are also instructed in the document to secure back-up systems against threats such as ransomware, ensuring rapid data recovery capabilities for essential banking and payment services.
The central bank also said that financial institutions need to ensure that disruption to essential services caused by technology failures or cyber incidents does not exceed four hours on a rolling 12-month basis.
It has imposed a maximum tolerable downtime of 120 minutes per incident.
“For avoidance of doubt, disruption of online banking or payment services affecting more than 1% of daily average transactions for the current month or at least 10,000 failed transactions, whichever is higher, shall be classified as unplanned downtime,” the document says.
To mitigate vulnerabilities, the consultation outlines that financial institutions must regularly update their systems to prevent security flaws associated with outdated software or hardware.
It also states that institutions need to manage the lifecycle of technology systems to address known weaknesses and ensure the ongoing stability of critical financial infrastructure.
These measures are vital for minimising the risk of cyberattacks that could compromise service continuity across Malaysia's financial sector.
Outsourcing
As financial institutions increasingly use cloud services, BNM's draft requires a thorough risk assessment of cloud infrastructure, especially regarding data ownership, confidentiality and compliance.
“Where a financial institution is relying on a cloud environment, the financial institution shall ensure that these environments are not running on the same virtual host,” the guidance says.
It goes on to say that the assessment for adopting cloud services must thoroughly evaluate risks related to the deployment model's complexity, the migration process and the cloud infrastructure's geographic location, including any geopolitical or legal issues that may affect regulatory compliance.
In addition, firms in scope are advised to consider multi-tenancy risks, vendor lock-in, the ability to customise security settings and exposure to cyber-attacks via cloud providers.
They should also plan for data security in case of service termination, clearly define roles and responsibilities with the cloud provider, and ensure ongoing compliance with regulatory and international standards for cloud computing.
Similarly, the central bank has said that third-party providers must be closely monitored, with strict service level agreements governing data protection and business continuity in case of cyber incidents.
What next?
Once the policy is implemented, non-compliance could result in strict enforcement actions from BNM, with the regulator saying that “enforcement or supervisory actions can be taken against the financial institutions including its directors, officers and employees for any non compliance with any provision”.
Potential enforcement actions for failing to comply with the incoming compliance requirements include mandating an independent external review of specific risk areas, requiring the institution to implement a targeted remediation plan, imposing additional capital requirements if necessary, and taking other appropriate measures to address the risks.
Additional capital requirements have been a tool used elsewhere in the region to manage operational resilience failures.
For example, in 2022, the Monetary Authority of Singapore (MAS) imposed an additional capital requirement, of approximately S$330m (US$248m), on OCBC Bank due to deficiencies in the bank’s response to a wave of spoofed SMS phishing scams in December 2021.