Malaysia: Risk based assessment of cloud adoption - Updated Risk Management in Technology Policy Document

In brief

Bank Negara Malaysia (i.e., the Central Bank of Malaysia) (BNM) had on 1 June 2023 updated its existing Risk Management in Technology Policy Document ("Updated RMIT PD") to, among others, provide further guidance on the use of cloud services to be adopted by selected financial institutions. These changes take effect on 1 June 2023 (for licensed digital banks and licensed Islamic digital banks) and 1 June 2024 (for all other financial institutions).

Licensed banks, investment banks, insurers and takaful operators (including professional reinsurers and retakaful operators), issuers of electronic money, operators of designated payment systems, and prescribed development financial institutions (each a FI and collectively, FIs), and cloud service providers should familiarise themselves with these changes as it will impact a FI's cloud adoption initiatives and roll-out strategy.


Contents

Updated RMIT PD

  1. Adoption of Cloud Services
    1. Under the existing Risk Management in Technology Policy Document issued on 19 June 2020 ("Existing RMIT PD"), a FI is required to consult BNM prior to the use of public cloud for critical systems and notify BNM of its use of cloud services for non-critical systems. Under the Updated RMIT PD:
      1. A FI is only required to consult BNM prior to its first time adoption of public cloud for critical systems ("Consultation Requirement"). Before the consultation with BNM, the FI will need to, among others, undertake a risk assessment on the cloud adoption (as further elaborated below) and submit to BNM a confirmation that the FI is ready to adopt public cloud for critical systems.

During the consultation with BNM, the FI must be able to demonstrate to BNM that specific risks associated with usage of cloud services have been adequately considered and addressed to the satisfaction of BNM.

  1. A FI must thereafter, notify BNM on any subsequent adoption of public clouds for critical systems ("Notification Requirement").
  2. A FI is no longer required to notify BNM on its use of cloud services for non-critical systems.

The updated processes under the Updated RMIT PD represents a shift by BNM to a risk-based approach in the cloud consultation and notification procedure.

  1. BNM has formally incorporated the Cloud Technology Risk Assessment Guide Exposure Draft (issued on 3 June 2022) (CTRAG) into the Updated RMIT PD. In this regard, BNM has provided guidance on the common key risk areas and control measures for a FI to consider and implement (on a risk based, proportionate manner) before it adopts public cloud for critical systems, for the first time:
    1. Cloud Governance - a FI must undertake various initiatives such as, among others:
      1. Implementation of a cloud risk management framework by senior management which integrates with a FI's outsourcing risk management framework, technology risk management framework and cyber resilience framework
      2. Ensure that the contracts with cloud service provider addresses risks stipulated in the RMIT PD and Outsourcing Policy Document
      3. Ensure relevant internal resources (including in finance, procurement, legal, risk and compliance) are adequately skilled and engaged to manage the change of risk profile from cloud adoption,

towards ensuring that the FI has in place a comprehensive cloud usage policy and technology skills capacity to implement cloud services securely and effectively; and

  1. Cloud Design and Control - a FI must take into consideration various factors such as:
    1. Enhancing existing cyber crisis management policies and procedures, and its Cyber Incident Response Plan, to include responses to cyber threats in a cloud environment
    2. Arrangements entered into by a FI with cloud service providers which should require that the providers undertake integrated business continuity testing and cyber drills in accordance with the Business Continuity Management Policy Document and the RMIT PD,

towards designing a robust cloud infrastructure and for the operationalisation of the cloud environment.

FIs which have already deployed cloud services for critical systems have up to one year (until 1 June 2024) or up to the next renewal of the FI's contract with cloud service providers (whichever is later) to ensure that the requirements set out within the Updated RMIT PD are addressed.

  1. Strengthening of Multi-factor Authentication security control

Further, the Updated RMIT PD also seeks to strengthen the guidance provided under the Existing RMIT PD on the use of multi-factor authentication (MFA) security controls. Under the Existing RMIT PD, FIs are required to deploy adequately secure MFA solutions for open third party fund transfer and open payment transactions above RM 10,000.

The Updated RMIT PD imposes stronger requirements on the MFA controls used, such that FIs must now ensure that the MFA security controls are resistant to interception or manipulation by any third party throughout the authentication process, and deploy MFA technology and channels which are more secure than unencrypted short messaging services (SMS) (the latter of which was previously only a recommendation and not a requirement).

  1. Compliance Assessment and Gap Analysis

Within 90 days of the issuance of the Updated RMIT PD, all FIs are required to:

  1. Perform a compliance assessment and gap analysis of its existing practices in managing technology risks against the Updated RMIT PD
  2. Establish an action plan to address such gaps
  3. Submit the gap analysis and action plan to BNM.

This requirement will nonetheless apply to FIs which have previously made such submission under the Existing RMIT PD, such that new gaps arising from the Updated RMIT PD requirements need to be assessed and addressed.

Takeaways

FIs are encouraged to take stock of their existing systems, plans, resources and frameworks and revise the same to ensure that they comply with the standards and requirements stipulated under the Updated RMIT PD. The Updated RMIT PD reflects BNM's recognition of the increased reliance by FIs of cloud services across the organisation to support the FI's digitalisation initiatives (especially those of digital banks which operate on a technology-first model).

* * * * *

This client alert was issued by Wong & Partners, a member firm of Baker McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "partner" means a person who is a partner or equivalent in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Contact Information
Serene Kan
Of Counsel
Kuala Lumpur
serene.kan@wongpartners.com
Kean Lynn Tai
Legal Assistant
Kuala Lumpur
keanlynn.tai@wongpartners.com
Eliza Chow
Legal Assistant
Kuala Lumpur
eliza.chow@wongpartners.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.