The Bank Negara Malaysia (BNM) has taken a lead in defining a stringent security controls framework for Malaysian financial institutions. Sustained, advanced persistent threat (APT) attacks on the banking industry such as the Carbanak hack shook the banking world. This co-ordinated and sophisticated attack really was a wake-up call to banks that cybercrime was becoming more organized and effective. Carbanak not only resulted in core banking systems being infiltrated allowing fraudulent electronic fund transfers to be used, but ATM systems were also hacked to allow cash to be stolen directly.

The Risk Management in Technology (RMiT) provides clear guidance for minimum expected standards in cyber security and serves to provide a level of confidence within the market, covering everything from the data center to the ATM/SST. The BNM guidelines are detailed in the RMiT BNM/RH/ED 028-98 publication.

Banking and finance is always a high-risk industry with respect to hackers and it is crucial that awareness of threats is always maintained and new technological innovations are being utilized, for example, leveraging One-Time Passwords (OTP) to reduce the opportunity for fraudulent transactions.

Significantly, the RMiT is very clear in placing responsibility at the Board level for an understanding of the ‘financial institution’s risk appetite’ and its ‘corresponding risk tolerances for technology-related events’. Furthermore, it is also a board-level responsibility to ensure ‘effective implementation of a sound and robust technology risk management framework (TRMF) and cyber resilience framework (CRF), for the financial institution to ensure the continuity of operations and delivery of financial services’. In other words, compliance with RMiT is mandatory and everyone is responsible for its delivery.