BNM’s Risk Management in Technology policy for FSI due out 1st June
A Risk Management in Technology (RMiT) exposure draft by Bank Negara Malaysia (BNM), is expected to apply to licensed financial institutions such as banks, insurers, takaful operators, operators of designated payment systems and eligible issuers of e-money.
This is an extremely large and complicated ecosystem which will comprise of many businesses, but the draft which is expected to be official policy by 1st June, is necessary in readying these organisations to face and respond to rising cybercrime.
Cybersecurity Malaysia CEO, Amirudin Abdul Wahab had shared during a fintech event that more than half of 10,000 cybercrimes reported in 2018, involved cyberfraud amounting to millions of ringgit.
He later told EITN, “The ultimate objective of cyber security risk management is to build cyber resiliency where an organisation’s systems and operations are designed to prevent and detect cyber threats and respond to an event that can minimise business disruption and financial losses.”
Multinational law firm Baker McKenzie shared their thoughts on www.lexology.com, broadly outlining five areas that the financial services industry (FSI) has to look at in preparation for RMiT.
These are 1. Board and senior management responsibilities 2. a chief information security officer 3. Data centres 4. Cloud services 5. Third-party outsourcing.
Significantly, the law firm points out that the draft currently does not prohibit the use of cloud, save for when it comes to certain critical technology functions and confidential information which cannot be hosted on a public cloud.
This is a far cry from over five years ago, when the industry and its regulator was seen to be frowning on anything to do with cloud.
The frown hasn’t turned the other way to become smiles all the way, but constant dialogue between BNM and FSI players is slowly changing the industry’s approach towards cloud and other disruptive technologies. Banks like HSBC report that the regulatory environment is curious and starting to ask more questions about technologies like cloud and blockchain, for example.
Whispers of regulations around cloud usage relaxing, is finally punctuated with Bank Negara Malaysia’s draft which states it does not prohibit use of cloud as long as the financial institution fully understands the inherent risks and conducts risk assessment with the following consideration:
(a) Sophistication of the deployment model;
(b) Migration of existing system to cloud infrastructure;
(c) Location of cloud infrastructure;
(d) Multi-tenancy or data co-mingling;
(e) Vendor lock-in, application portability or interoperability;
(f) Ability to customise security configurations of the cloud infrastructure to ensure high level of data and technology system protection;
(g) Exposure to cyber-attacks via cloud service providers;
(h) Exit strategy including data removal and deletion;
(i) Demarcation of responsibilities, limitations and liability of the service provider; and
(j) Compliance to regulatory requirements and international standards on cloud computing.
Parallels were drawn to Singapore’s monetary authority (MAS), when Baker McKenzie observed that board of directors will have overall responsibility and oversight for the implementation of a robust technology risk management framework.
The draft also mandates financial institutions to designate a Chief Information Security Officer, who among other things will enforce compliance with a technology risk management framework (TRMF) and cyber resilience framework (CRF).
It does not go so far as to hold the Board or the business accountable for cyberattacks, which parties like Singapore’s Cyber Security Agency (CSA) says, should be the case.
CSA’s CEO David Koh was reported as having observed CEOs and decision makers have not been held accountable partly because cyber incidents are seen as a technical issue.
Dr. Amirudin pointed out that the draft document states financial institutions should adopt international standards and best practices on few things and one of it is the implementation of the security controls.
He added that CSM is the accredited certification body for Information Security Management System (ISMS) certification and as such is ready to play the part of collaborator with financial institutions so as to ensure all the requirements stated by BNM are adopted and complied to.