Risk Management in Technology (RMiT)-Central Bank of Malaysia
1.1 Technology risk refers to risks emanating from the use of information technology (IT) and the Internet. These risks arise from failures or breaches of IT systems, applications, platforms or infrastructure, which could result in financial loss, disruptions in financial services or operations, or reputational
harm to a financial institution.
1.2 With the more prevalent use of technology in the provision of financial services, there is a need for financial institutions to strengthen their technology resilience against operational disruptions to maintain confidence in the financial system. The growing sophistication of cyber threats also calls for the
increased vigilance and capability of financial institutions to respond to emerging threats. Critically, this should ensure the continuous availability of essential financial services to customers and adequate protection of customer data.
1.3 This policy document sets out the Bank’s requirements with regard to financial institutions’ management of technology risk. In complying with these requirements, a financial institution shall have regard to the size and complexity of its operations. Accordingly, larger and more complex financial institutions are expected to demonstrate risk management practices and
controls that are commensurate with the increased technology risk exposure of the institution. In addition, all financial institutions shall observe minimum prescribed standards in this policy document to prevent the exploitation of weak links in interconnected networks and systems that may cause detriment
to other financial institutions and the wider financial system. The control measures set out in Appendices 1 to 5 serve as a guide for sound practices in defined areas. Financial institutions should be prepared to explain alternative risk management practices that depart from the control measures outlined in
the Appendices and demonstrate their effectiveness in addressing the financial institution’s technology risk exposure.
2.1 This policy document is applicable to all financial institutions as defined in paragraph 5.2.
3 Legal provision
3.1 The requirements in this policy document are specified pursuant to—
(a) Sections 47(1) and 143(2) of the Financial Services Act 2013 (FSA);
(b) Sections 57(1) and 155(2) of the Islamic Financial Services Act 2013 (IFSA); and
(c) Sections 41(1) and 116(1) of the Development Financial Institutions Act 2002 (DFIA).
3.2 The guidance in this policy document are issued pursuant to section 266 of the FSA, section 277 of the IFSA and section 126 of the DFIA.
4 Effective date
4.1 This policy document comes into effect on 1 January 2020.
5.1 The terms and expressions used in this policy document shall have the same meanings assigned to them in the FSA, IFSA or DFIA, as the case may be, unless otherwise defined in this policy document.
5.2 For purposes of this policy document – “S” denotes a standard, an obligation, a requirement, specification, direction,
condition and any interpretative, supplemental and transitional provisions that must be complied with. Non-compliance may result in enforcement action;
“G” denotes guidance which may consist of statements or information intended to promote common understanding and advice or recommendations that are encouraged to be adopted;
“board” refers to the board of directors of a financial institution, including any committee carrying out any of the responsibilities of the board under this policy document;
“critical system” refers to any application system that supports the provision of critical banking, insurance or payment services, where failure of the system has the potential to significantly impair the financial institution’s provision of financial services to customers or counterparties, business operations,
financial position, reputation, or compliance with applicable laws and regulatory requirements; “customer and counterparty information” refers to any information relating
to the affairs or, in particular, the account, of any customer or counterparty of a financial institution in whatever form;
“cyber resilience” refers to the ability of people, processes, IT systems, applications, platforms or infrastructures to withstand adverse cyber events; “cyber risk” refers to threats or vulnerabilities emanating from the connectivity of internal technology infrastructure to external networks or the
Internet; “digital services” refers to the provision of payment, banking, Islamic banking, insurance or takaful services delivered to customers via electronic channels and devices including Internet and mobile devices, self-service and point-of-sale terminals;
“financial institution” refers to-
(a) a licensed person under the FSA and the IFSA (excluding branches of a foreign professional reinsurer and a professional retakaful operator);
(b) a prescribed development financial institution under the DFIA;
(c) an eligible issuer of e-money as defined in the policy document on Interoperable Credit Transfer Framework1
(d) an operator of a designated payment system; “large financial institution” refers to-
(a) a financial institution with one or more business lines that are significant in terms of market share in the relevant industry; or
(b) a financial institution with a large network of offices within or outside Malaysia through operations of branches and subsidiaries; “material technology projects” refers to projects which involve critical systems, the delivery of essential services to customers or counterparties, or compliance with regulatory requirements; “OTP or one-time password” refers to an alphanumeric or numeric code represented by a minimum of 6 characters or digits which is valid only for single use;
“public cloud” refers to a fully virtualised environment in which a service provider makes resources such as platforms, applications or storage available to the public over the Internet via a logically separated multi-tenant architecture;
“production data centre” refers to any facility which hosts active critical production application systems irrespective of location;
“recovery data centre” refers to a facility that a financial institution plans to activate to recover and restore its IT applications and operations upon failure of its production data centre irrespective of location; “senior management” refers to the Chief Executive Officer (CEO) and senior officers;
“third party service provider” refers to an internal group affiliate or external entity providing technology-related functions or services that involve the transmission, processing, storage or handling of confidential information pertaining to the financial institution or its customers. This includes cloud computing software, platform and infrastructure service providers.
6 Related legal instruments and policy documents
6.1 This policy document must be read together with any relevant legal instruments, policy documents and guidelines issued by the Bank, in particular—
(a) Policy Document on Risk Governance;
(b) Policy Document on Compliance;
(c) Policy Document on Outsourcing;
(d) Policy Document on Operational Risk;
(e) Policy Document on Operational Risk Reporting Requirement Operational Risk Integrated Online Network (ORION);
(f) Policy Document on Introduction of New Products;
(g) Policy Document on Interoperable Credit Transfer Framework;
(h) Guidelines on Business Continuity Management (Revised);
(i) Provisions under paragraphs 21, 22 and 26 of the Guidelines on the Provision of Electronic Banking (e-banking) Services by Financial Institutions;
(j) Provisions under paragraphs 28 and 29 of the Guidelines on Internet Insurance (Consolidated);
(k) Guidelines on Data Management and MIS Framework;
(l) Guidelines on Data Management and MIS Framework for Development Financial Institutions; and
(m) Paragraphs 3 and 5 of the Circular on Internet Takaful2.
7 Policy documents and circulars superseded
7.1 This policy document supersedes the following circulars, guidelines and policy documents:
(a) Guidelines on Management of IT Environment (GPIS 1) issued in May 2004;
(b) Preparedness against Distributed Denial of Service Attack issued on 17 October 2011;
(c) Managing Inherent Risk of Internet Banking Kiosks issued on 5 December 2011;
(d) Circular on Managing Risks of Malware Attacks on Automated Teller Machine (ATM) issued on 3 October 2014;
(e) Managing Cyber Risk Circular issued on 31 July 2015;
(f) Guidelines on the Provision of Electronic Banking (e-banking) Services by Financial Institutions, except for the provisions under paragraphs 21, 22 and 26;
(g) Guidelines on Internet Insurance (Consolidated), except for the provisions under paragraphs 28 and 29;
(h) Circular on Internet Takaful, except for paragraphs 3 and 5;
(i) Letter to CEO dated 31 October 2017 entitled “Immediate Measures for Managing identification of Counterfeit Malaysian Currency Notes at Deposit-Accepting Self Service Terminals (SST)”;