Introduction

On 1 June 2023, the Central Bank of Malaysia ("BNM", or Bank Negara Malaysia) issued an updated version of its Policy Document on Risk Management in Technology ("Updated RMiT PD"), which sets out additional requirements in respect of a financial institution's ("FI") management of cloud technology risks.1 In conjunction with the issuance of the Updated RMiT PD, BNM also revised its FAQs for the Updated RMiT PD to provide further guidance and clarifications regarding such additional requirements.

This Update seeks to provide a summary of the key requirements being introduced under the Updated RMiT PD that FIs should take note of.

Key Updates in the Updated RMiT PD

The new requirements introduced by the Updated RMiT PD are mainly focused on the technology risk management issues regarding the adoption of cloud services by FIs, which include the following:

(a) New Requirements for Adoption of Public Cloud2 for Critical Systems3

Under the existing Policy Document on Risk Management in Technology issued on 19 June 2020 ("Existing RMiT PD"), an FI is required to conduct a comprehensive risk assessment prior to cloud adoption and:

  1. consult BNM prior to using public cloud for critical systems;4 and
  2. notify BNM of its intention to use cloud services for non-critical systems.5

To this end, the Updated RMiT PD clarifies that:6

  1. an FI is only required to consult BNM prior to the first-time adoption of public cloud for critical systems;
  2. an FI is only required to notify BNM for any subsequent adoption of public cloud for critical system;
  3. an FI is no longer required to notify BNM of its intention to use cloud services for non-critical systems; and
  4. an FI must ensure that the roadmap for adoption of cloud services (for critical and non-critical systems) is included in the annual outsourcing plan submitted to BNM.

The new requirements above demonstrate BNM's shift to a risk-based approach in relation to cloud adoption by FIs.

Furthermore, under the Updated RMiT PD7, FIs are encouraged to carry out an assessment of common key risks and put in place control measures as specified in the newly incorporated Appendix 10 when adopting public cloud for critical systems. It is worth highlighting that the guidance set out in Appendix 10 of the Updated RMiT PD is largely adopted from the Cloud Technology Risk Assessment Guideline (CTRAG) Exposure Draft that was released by BNM in 2022 for public feedback.

Some of the key requirements introduced in Appendix 10 of the Updated RMiT PD are as follows:

  1. the development of internal policies and procedures by FIs to regulate internal adoption of cloud services;
  2. due diligence on prospective cloud service providers;
  3. the inclusion in FIs' agreements with their cloud service providers of minimum contractual clauses that set clear parameters on the information security and operational standards expected of the cloud service providers; and
  4. the identification of operational considerations that must be taken into account when adopting cloud services for critical systems.

(b) Multi-factor authentication ("MFA") Security Controls as a Standard Requirement

Under the Existing RMiT PD, BNM merely recommends FIs to deploy MFA technology and channels that are more secure than unencrypted short messaging service ("SMS").

The Updated RMiT PD now makes it a mandatory requirement for FIs to deploy MFA technology and channels that are more secure than unencrypted SMS, and ensure that the MFA solution is resistant to interception or manipulation by any third party throughout the authentication process.

Effective Date of the Updated RMiT PD

The Updated RMiT PD came into effect on 1 June 2023. However, the new amendments specifically related to cloud technology risk management take effect as follows:

  • 1 June 2023 - for licensed digital banks and Islamic digital banks; and
  • 1 June 2024 - for FIs other than licensed digital banks and Islamic digital banks.

Concluding Remarks

In view of BNM's shift to a risk-based approach in relation to FIs' adoption of public cloud for their critical systems and the revised requirements for such adoption of public cloud for critical systems, FIs will need to review their internal policies and procedures regarding the adoption and rollout of cloud services, as well as their contractual terms with their respective cloud service providers in order to ensure compliance with the new requirements under the Updated RMiT PD.

We trust that the above provides you with a quick update on the revised requirements introduced by BNM in the Updated RMiT PD. Should you require any assistance or clarification regarding the above, or about any matter pertaining to the same, please feel free to reach out to our team at your convenience.

This Client Update is contributed by the Contact Partners listed above, with the assistance of Ng Hong Syuen (Associate, Christopher & Lee Ong) and Yeap Yee Lin (Associate, Christopher & Lee Ong).

Footnotes

1. Particularly, the additional requirements relating to cloud are set out in paragraph 10.50, paragraph 15 and Appendix 10 of the Updated RMiT PD.

2. "Public cloud" is defined under the Updated RMiT PD to refer to a fully virtualised environment in which a service provider makes resources such as platforms, applications or storage available to the public over the Internet via a logically separated multi-tenant architecture.

3. "Critical systems" is defined under the Updated RMiT PD to refer to any application system that supports the provision of critical banking, insurance or payment services, where failure of the system has the potential to significantly impair the financial institution's provision of financial services to customers or counterparties, business operations, financial position, reputation, or compliance with applicable laws and regulatory requirements.

4. Paragraph 10.51 of the Existing RMiT PD.

5. Paragraph 10.50 of the Existing RMiT PD.

6. Paragraph 15 of the Updated RMiT PD.

7. Paragraph 10.50 of the Updated RMiT PD.

Originally published 2023 September

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.