Today, 1st June 2023 sees Bank Negara Malaysia, the Malaysian financial regulatory body issues the update to its Risk Management in IT policy document.
Backstory
The document was first launched on 19 June 2020 after the exposure draft went on for about one year. I was involved as part of industry to give inputs and feedback to BNM regarding the first draft of this document.
Changes - tl;dr
The following are the key highlights of the changes made to the document
- Additional guidance provided to strengthen FI's (financial institution) cloud risk management capabilities
- Shift to risk based approach in cloud consultation and notification process with the corresponding updates in the risk assessment and submission process.
- Cross reference updated to include multi factor authentication security control as a STANDARD requirement
- The FAQ has also been updated.
The aplicability remains the same, the same 8 organization types apply.
Enforcement
The document defaults to today as mandatory requirement, in exception to paragraph 10.50, 15 and Appendix 10 which comes into effect on 1 June 2024 (one year from today), except for digital bank or digital islamic bank.
FI which already adopted public cloud for critical systems before the issuance date of this policy.
Specifically for Appendix 10, FI need to make necesary ammendments or modification during the next effective date of relevant provisions in the policy document.
In other instances, 1 June 2024 will be the due date which have not adopted public cloud document for critical systems prior to the issuance of this policy document.
The actual changes
The original policy document requirements for Technical Operations Management has 10.49 to 10.53 while the updated document only has 2 requirements. Here are the new requirements.
*10.50 (G) For critical systems hosted on public cloud, a financial institution should consider common key risks and control measures as specified in Appendix 10. A financial institution that relies on alternative risk management practices that depart from the measures outlined in Appendix 10 should be prepared to explain and demonstrate to the Bank that these alternative practices are at least as effective as, or superior to, the measures in Appendix 10.
10.51 (S) A financial institution must implement appropriate safeguards on customer and counterparty information and proprietary data when using cloud services to protect against unauthorised disclosure and access. This shall include retaining ownership, control and management of all data pertaining to customer and counterparty information, proprietary data and services hosted on the cloud, including the relevant cryptographic keys management.*
**Now, we jump to Appendix 10. **
10.Cybersecurity Operations (a) A financial institution should ensure the governance and management of cybersecurity operations is extended to cover cloud services, with appropriate control measures to prevent, detect, and respond to cyber incidents in the cloud environment to maintain the overall security posture of the institution. (b) The interconnected cloud service supply chain could become a source of cyber risk. A financial institution should ensure integrated monitoring and full visibility of cloud services are established. This should include the following: i) continuous monitoring of system communications between the cloud service provider, on-premise IT systems and other service providers to ensure the security perimeter is not breached; and ii) ensuring that third party service providers, including those providing ancillary functions, have adequate capabilities to monitor, detect and respond to anomalous activities, with timely communication to the financial institution of relevant cyber incidents. (c) A financial institution should understand the segregation of responsibility in security management, which varies across the cloud service models. A financial institution should manage the sources of vulnerabilities appropriately including by: i) proactively seeking assurance of their cloud service providers to conduct periodic VAPT on the cloud infrastructure to ensure tenant isolation and overall security posture remains healthy; and ii) understanding the cloud service provider’s VAPT policy for the financial institution on cloud infrastructure for IaaS model given the varying degree of the financial institution’s access to the cloud environment and establish a VAPT arrangement with cloud service providers upfront which commensurate with the complexity of the cloud environment.
Now, we also notice changes to Paragraph 15 related to risk based approach. The updated RMIT says...
15 S 15.1 Consultation and Notification related to Cloud Services A financial institution is required to consult the Bank prior to the first-time adoption of public cloud for critical systems. During the consultation, the financial institution must demonstrate that specific risks associated with the use of cloud services have been adequately considered and addressed to the satisfaction of the Bank, in order to proceed with the adoption of the public cloud for critical systems for the first time. The financial institution shall undertake the following prior to consulting the Bank on its adoption of public cloud for critical systems: (a) conduct a comprehensive risk assessment of the proposed cloud adoption, including the possible impact and measures to address and mitigate the identified risks as outlined in paragraph 10.49 and in Appendix 10. The financial institution shall also adopt the format of the Risk Assessment Report as per Appendix 7; (b) provide a confirmation by the CISO, senior management officer or the chairman of the board or designated board-level committee stipulated in paragraph 8.4 of the financial institution’s readiness to adopt public cloud for critical system. The format of the confirmation shall be as set out in Appendix 8; and (c) perform a third-party pre-implementation review on public cloud implementation that covers the areas set out in Appendix 10 and Part A of Appendix 9 for higher-risk public cloud services, such as when the cloud services involve the processing or storage of customer information, or if data will be transmitted across borders. 15.2 A financial institution shall notify the Bank on any subsequent adoption of public cloud for critical system, by submitting the notification together with the necessary updates to all the information required under paragraph 15.1, subject to the financial institution having met and included the following requirements in the notification submitted to the Bank that the financial institution: (a) has consulted the Bank prior to adopting public cloud for critical systems for the first time in accordance with paragraph 15.1, with no concerns raised by the Bank during the first-time consultation; (b) has enhanced the technology risk management framework to manage cloud risks; (c) has established independent assurance on the cloud risk management framework; and (d) provided assurance to the Bank on the enhanced incident response to cater for adverse/unexpected events. 15.3 For the avoidance of doubt, notification to the Bank under paragraph 15.2 is not required for any enhancement to existing cloud adoption that does not materially alter the prior assessments and representations made by a financial institution to the Bank. 15.4 The Bank may at its discretion require a financial institution to consult the Bank under paragraph 15.1, notify the Bank under paragraph 15.2 or observe any of the guidance in Appendix 10 and to explain any deviations from the guidance in Appendix 10 to the Bank, including for a non-critical system, where necessary as determined by the Bank. 15.5 The financial institutions must ensure the roadmap for adoption of cloud services (for critical systems and non-critical systems) is included in the annual outsourcing plan submitted to the Bank in adherence to the requirements in the policy document on Outsourcing or IT Profile. The risk assessment as outlined in paragraph 10.49 must also be documented and made available for the Bank’s review as and when requested by the Bank.
As this is fresh off the oven, I wanted the information to first get out so that my peers and friends can start "chewing" on it as preparation for senior management presentation
References
[1] https://www.bnm.gov.my/-/risk-management-in-technology-rmit-policy-document