On 4th September 2018, Bank Negara Malaysia (“BNM”) issued an exposure draft of the Risk Management in Technology policy document which sets out the BNM’s expectations with regard to financial institutions’ technology risk management framework and practices proportionate to the size and complexity of the financial institutions.
The policy will apply to all licensed financial institutions such as licensed banks, licensed insurers, licensed takaful operators, prescribed development financial institutions, operators of a designated payment system and eligible issuers of e-money.
As technology capability is being continuously enhanced and financial institutions are closely adopting technology innovations in providing their services to customers, BNM has implemented a notification-based approach for selected low risk enhancements to the e-banking, Internet insurance and Internet takaful services.
Subsequently, BNM has further expanded the notification-based approach by requiring all financial institutions to notify the Bank prior to implementing all e-banking/Internet insurance/Internet takaful services (introduction of new technology to the financial institutions or to the industry) or any material enhancements to the existing e-banking/Internet insurance/Internet takaful services.
The key requirements and standards that BNM is proposing to introduce are summarised as follows:
The Board and senior management shall have an overall responsibility for ensuring effective implementation of sound and robust technology risk management for the financial institution to sustain its operations and deliver financial services. In fulfilling this role, the Board must provide oversight and guidance in the formulation of the technology risk appetite, strategic plan and other associated risk frameworks commensurate with the nature and complexity of the business. Any formulated plans in relation to the technology risk management framework (“TRMF”) must be periodically reviewed at least biennially to commensurate with the changes in risk profiles and business environments. Senior management must translate the Board’s strategic insights and implement the approved TRMF and Cyber Resilience Framework (“CRF”) into specific policies and procedures within the approved risk appetite and risk tolerance, supported by effective reporting and escalation procedures.
2. Technology Risk Management
A financial institution must ensure that an independent enterprise-wide technology risk management function—
- is made responsible for the implementation of TRMF and CRF; and
- plays an advisory role on critical technology projects, including escalating issues in a timely manner.
Further to this, a financial institution must designate a Chief Information Security Officer (CISO)
to be responsible for the technology risk management function and ensure that the CISO has sufficient authority, independence and resources. The CISO shall—
- Be independent from day-to-day technology operations;
- Be well aware of current and emerging technology risks affecting the industry which could potentially affect the financial institution’s risk profile; and
- Be appropriately certified.
3. Technology Operations Management
A financial institution must establish a robust framework for managing technology projects. The framework shall clearly establish the following:
- Project governance including the project oversight, roles and responsibilities, approval requirements, ownership and reporting structure;
- Project planning, initiation and implementation strategies that cover feasibility studies including evaluation of acquisition vs in-house developed systems, project timelines and deliverables, resources as well as vendor management where appropriate;
- Monitoring and reporting procedures on the project progress, performance and resources;
- Escalation process and procedure for resolution of issues to ensure proper deliberation at the appropriate level. Issues that cannot be resolved at the project level shall be escalated to senior management or the designated Board level committee; and
- Project closure, comprehensive documentation and post implementation review procedures.
4. Cybersecurity Management
A financial institution must ensure that there is enterprise-wide focus for effective cyber risk management as it is a collective responsibility of business and technology lines.
5. Technology Audit
A financial institution must ensure that the scope, frequency and intensity of technology audit commensurate with the complexity, sophistication and criticality of technology systems and applications. A financial institution must ensure internal audit has relevant technology audit competencies and is familiar with the financial institution’s technology operations.
6. Internal Awareness and Training
A financial institution must provide adequate and regular technology and cybersecurity awareness education (such as measures to mitigate social engineering attacks) for all staff in undertaking their respective roles. A financial institution must establish mechanisms to measure the effectiveness of the training.
This cybersecurity awareness education must reflect current cyber threats landscape and to be conducted at least annually. A financial institution must provide adequate training to continuously enhance technology operations, cyber security and risk management staff’s technical competencies and capacity commensurate with the requirements of their roles and responsibilities.
Here in Malaysia, Financial institutions will need to strengthen its cyber defenses to ensure that its systems and customer data are afforded greater protection, and therefore should take the opportunity to review its existing systems, frameworks and processes to ensure that it meets the proposed requirements.
This includes revising any existing policies that are similar to the TRMF and CRF to ensure that it meets the proposed requirements by BNM. Financial Institutions can now begin identifying appropriately qualified candidates for the various offices and positions; given the competition for talent in this space.
Similar practices have also been adopted by the Monetary Authority of Singapore under their Technology Risk Management Guidelines in June 2013 which seeks to prescribe similar guidelines on Technology Risk Management practices.
The proposed exposure paper can be found here.