On 1 June 2023, the Central Bank of Malaysia, Bank Negara Malaysia ("BNM"), issued a revised version of its Policy Document on Risk Management in Technology ("Revised RMiT PD").
This document sets out additional requirements for a financial institution's ("FI") management of cloud technology risks and the adoption of multi-factor authentication ("MFA") security controls by financial institutions, including the following:
- New Requirements for Adoption of Public Cloud for Critical Systems
Under the Revised RMiT PD, an FI is only required to consult BNM prior to the first-time adoption of a public cloud for critical systems, and to notify BNM for any subsequent such adoptions. For non-critical systems involving the cloud, an FI is no longer required to notify BNM of its intention to use the same.
- Guidance on Assessment of Common Key Risks and Control Measures for Adoption of Public Cloud for Critical Systems
The Revised RMiT PD incorporates a new Appendix 10 which adopts the Cloud Technology Risk Assessment Guideline (CTRAG) Exposure Draft released in 2022. FIs are encouraged to carry out an assessment of common key risks and control measures specified in Appendix 10 when adopting a public cloud for critical systems.
- MFA Security Controls as a Standard Requirement
The Revised RMiT PD makes it mandatory for FIs to deploy MFA technology and channels that are more secure than the unencrypted short messaging service (SMS), and to ensure that the MFA solution is resistant to interception or manipulation by any third party throughout the authentication process.
The Revised RMiT PD came into effect on 1 June 2023. However, for the new amendments specifically related to cloud technology risk management, the amendments will take effect as follows:
- 1 June 2023 – for licensed digital banks and Islamic digital banks; and
- 1 June 2024 – for FIs other than licensed digital banks and Islamic digital banks.
