On 18-July-2019, Bank Negara Malaysia released the “Risk Management in Technology” document. This document is a policy document which sets out the regulation for financial institutions on management of technology risk.
Top 6 critical questions and answers
1. Is compliance voluntary?
This policy document states the compulsory ‘must’ and ‘shall’ clauses as well as guidelines. It is clearly indicated in clause 5.2 that “failure to comply may result in one or more enforcement actions”, as such, this is not a voluntary standard/guideline.
2. Which organisations must abide by RMiT?
Financial institutions (in the definition of the RMiT), are licensed banks, investment banks, Islamic banks, insurers including professional reinsurers, takaful operators including professional retakaful operators as well as prescribed development financial institutions, approved issuer of electronic money and operators of a designated payment system. Details are available in the Malaysian FSA, IFSA and DFIA legal provisions.
3. Do all data centres need to comply to RMiT?
RMiT applies to all data centres which the financial organization operates including production and disaster recovery sites. Where a financial organization is using outsourced data centre providers such as commercial data centre operators as well as cloud-based service provides then they fall under the scope as well.
4. What is the scope of RMiT?
Although the RMiT is a standalone document, many of its requirements can be mapped back to existing standards with some of the clauses requiring an extension to ensure the scope is covered as per the definition of Bank Negara Malaysia. This illustration below gives an overview of the RMiT requirements.
5. When are the deadlines?
Financial organizations must submit a gap analysis of the existing practices in managing technology risk against the requirements of RMiT by no later than 18 October 2019. It will then have to address any potential gaps to ensure that the organisation is fully compliant as per 1st of January 2020.
6. Is self-assessment an option?
The RMiT policy document states in clauses 10.25 and 10.40 that the Data Centre and Network Risk Assessment shall be conducted by an external auditor.
EPI RMiT Services
EPI’s assessment services will ensure you meet the RMiT requirements saving you time and effort and giving you peace of mind.
1. DCRA – Data Centre Risk Assessment
2. DCORA – Data Centre Operations Risk Assessment
3. DGRA – Data Centre Governance Assessment
4. DCRA + DCORA + DGRA
HURRY, TIME IS RUNNING OUT!
You will have to submit the first report to BNM by October 2019. Contact us now to ensure you are compliant and avoid BNM’s enforcement actions.
Email David Goh at firstname.lastname@example.org.