Navigating Bank Negara Malaysia (BNM) Risk Management in Technology (RMiT) for Financial Institutions

Bank Negara Malaysia (BNM) Risk Management in Technology (RMiT) policy document establishes a comprehensive framework for safeguarding Financial Institution (FI)’s IT infrastructure and information assets.

By emphasizing governance, risk assessment, security controls, and continuous improvement, the policy aims to ensure the resilience and security of financial institutions in the face of evolving cyber threats and technological challenges.

The following article outlines the key areas and the solutions to ensure compliance with the policy. The example solutions provided for each area are referenced from the Gartner Peer Insights list. However, determining the best fit for your company size, risk profile, and industry requires exercising judgment call based on an individual organization's risk profile and company size.

Governance and Risk Management

This area emphasizes establishing robust governance structures and oversight mechanisms for IT risk management. Clear roles and responsibilities are defined to ensure accountability at all levels of the organisation.

Gartner defines Integrated risk management (IRM) as the combined technology, processes and data that serves to fulfil the objective of enabling the simplification, automation and integration of strategic, operational and IT risk management across an organization.
https://www.gartner.com/reviews/market/integrated-risk-management

Some solutions in this area:

1. ServiceNow Governance Risk and Compliance (GRC) [https://www.servicenow.com/products/governance-risk-and-compliance.html]
2. Archer IT Security Risk Management [https://www.archerirm.com/it-security-risk-management]
3. LogicManager IT Governance & Security Policy Management [https://www.logicmanager.com/solutions/it-governance-cybersecurity/it-policy-management/]

Risk and Vulnerability Assessment and Classification

This policy outlines a systematic approach to identifying, assessing, and classifying IT-related risks. Risks are categorised based on their potential impact on the confidentiality, integrity, and availability of information assets.

Vulnerability Assessment (VA) solutions identify, categorize and prioritize vulnerabilities as well as orchestrate their remediation or mitigation. Their primary focus is vulnerability and security configuration assessments for enterprise risk identification and reduction, and reporting against various compliance standards. VA can be delivered via on-premises, hosted and cloud-based solutions, and it may use appliances and agents. https://www.gartner.com/reviews/market/vulnerability-assessment

The solutions in this space are:

1. Rapid7 InsightVM [https://www.rapid7.com/products/insightvm/]
2. Tenable Nessus [https://www.tenable.com/products/nessus]
3. Qualys VMDR [https://www.qualys.com/apps/vulnerability-management-detection-response/]

Security Controls and Safeguards

BNM emphasizes the implementation of security controls and safeguards to mitigate identified risks effectively. Measures include access controls, encryption, network security, and regular security audits to ensure compliance. The solution space here can be further broken down into several subcategories.

Security Information and Event Management (SIEM)

SIEM aggregates the event data that is produced by monitoring, assessment, detection and response solutions deployed across application, network, endpoint and cloud environments. Capabilities include threat detection, through correlation user and entity behaviour analytics (UEBA), and response integrations commonly managed through security orchestration, automation and response (SOAR). https://www.gartner.com/reviews/market/security-information-event-management

1. Splunk Enterprise [https://www.splunk.com/en_us/products/splunk-enterprise.html]
2. LogRhythm SIEM [https://logrhythm.com/products/logrhythm-siem/]
3. IBM QRadar SIEM [https://www.ibm.com/products/qradar-siem]

Endpoint Protection Platforms

Endpoint protection platforms (EPPs) provide the facility to deploy agents or sensors to secure managed endpoints, including desktop PCs, laptop PCs, servers and mobile devices. EPPs are designed to prevent a range of known and unknown malicious attacks. In addition, they provide the ability to investigate and remediate any incidents that evade protection controls. https://www.gartner.com/reviews/market/endpoint-protection-platforms

1. Trellix Endpoint Security [https://www.trellix.com/platform/endpoint-security/]
2. Broadcom Symantec Endpoint Security [https://www.broadcom.com/products/cybersecurity/endpoint/end-user/enterprise]
3. Microsoft Defender for Endpoint [https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-endpoint]

Data Loss Prevention

DLP technology includes offerings that provide visibility into data usage and movement across an organization. It also involves dynamic enforcement of security policies based on content and context for data in use, data in motion and data at rest. DLP technology seeks to address data-related threats, including the risks of inadvertent or accidental data loss and the exposure of sensitive data, using monitoring, alerting, warning, blocking, quarantining and other remediation features https://www.gartner.com/reviews/market/data-loss-prevention

1. Forcepoint DLP [https://www.forcepoint.com/product/dlp-data-loss-prevention]
2. Broadcom DLP [https://www.broadcom.com/products/cybersecurity/information-protection/data-loss-prevention]
3. Trellix DLP [https://www.trellix.com/products/dlp/]

Network Access Control

Gartner defines network access control (NAC) as technologies that enable organizations to implement policies for controlling access to corporate infrastructure by both user-oriented devices and Internet of Things (IoT) devices. Policies may be based on authentication, endpoint configuration (posture) or users’ role/identity. NAC can also implement post connect policies based on integration with other security products. https://www.gartner.com/reviews/market/network-access-control

1. Cisco ISE [https://www.cisco.com/site/us/en/products/security/identity-services-engine/index.html]
2. Fortinet FortiNAC [https://www.fortinet.com/products/network-access-control]
3. Forescout NAC [https://www.forescout.com/solutions/network-access-control/]

Observability Platforms

Gartner defines observability platforms as products used to understand the health, performance and behavior of applications, services and infrastructure. They ingest telemetry (operational data) from a variety of sources, including but not limited to logs, metrics, events and traces. Observability platforms enable analysis of the telemetry, either via human operator or machine intelligence, to determine changes in system behavior that impact end user experience such as outages or performance degradation. This allows for early, even preemptive, problem remediation. https://www.gartner.com/reviews/market/observability-platforms

1. Dynatrace Full stack Observability [https://www.dynatrace.com/solutions/full-stack-observability/]
2. Cisco AppDynamics [https://www.cisco.com/c/en/us/solutions/data-center/appdynamics-application-performance-monitoring.html]
3. New Relic [https://newrelic.com/platform]

Incident Response and Management

The Incident Response and Management Policy of Bank Negara Malaysia’s Risk Management in Technology outlines the framework for effectively addressing and mitigating technology-related incidents within the organization. The policy is designed to ensure prompt detection, containment, eradication, and recovery from incidents to minimize their impact on operations, data integrity, and customer trust

IT Resilience Orchestration (ITRO) solutions are chiefly aimed at helping to improve the reliability, speed and granularity of workload recovery due to unplanned outages by automating disaster recovery (DR) processes while lowering costs of DR exercising and DR operations staff. https://www.gartner.com/reviews/market/it-resilience-orchestration

1. Zerto Orchestration [https://www.zerto.com/zerto-platform/core-elements/orchestration-and-automation/]
2. Druva Data Resiliency Cloud [https://www.druva.com/products/platform-overview]
3. AWS Elastic Disaster Recover [https://aws.amazon.com/disaster-recovery/]

The e-discovery solutions market comprises vendors offering technology solutions that facilitate the electronic discovery process. E-discovery solutions specialize in one or more areas to identify, collect, preserve, process, review, analyze and produce electronically stored information (ESI). ESI fulfils legal and compliance requirements for discovery that result from a variety of investigative scenarios. The scope of ESI often includes data sources, such as digital communications, file systems, cloud office platforms, endpoints, databases and applications. https://www.gartner.com/reviews/market/e-discovery-software

1. Reveal eDiscovery [https://www.revealdata.com/electronic-discovery]
2. Veritas eDiscovery [https://www.veritas.com/insights/ediscovery-platform]
3. Logikcull [https://www.logikcull.com/]

Enterprise backup and recovery software solutions are vendor-developed solutions that capture a point-in-time copy (backup) of enterprise workloads in on-premises, hybrid, multi-cloud and SaaS environments. These solutions write the data to a secondary storage target to recover this data in case of loss.

1. Veeam Data Platform [https://www.veeam.com/vm-backup-recovery-replication-software.html]
2. Cohesity DataProtect [https://www.cohesity.com/products/dataprotect/]
3. Rubrik [https://www.rubrik.com/products/zero-trust-data-management]

Employee Awareness and Training

The Employee Awareness and Training section aims to cultivate a culture of cybersecurity awareness and competence among all personnel to mitigate the risk of human error and enhance overall security posture. This part of the policy establishes a framework for delivering comprehensive training programs and ongoing awareness initiatives tailored to employees’ roles and responsibilities within the organization.

The Security Awareness Computer-Based Training (SACBT) market is characterized by vendor offerings that include one or more of the following capabilities: Ready-to-use training and educational content; Employee testing and knowledge checks; Availability in multiple languages, natively or through subtitling or partial translation (in many cases, language support is diverse and localized); Phishing and other social engineering attack simulations; Platform and awareness analytics to help measure the efficacy of the awareness program.

1. KnowBe4 Enterprise Awareness Training Program [https://www.knowbe4.com/en/products/enterprise-security-awareness-training/]
2. Hoxhunt Security Awareness [https://www.hoxhunt.com/product/security-awareness-training]
3. Cofense PhishMe [https://cofense.com/phishing-security-awareness-training/]

Key Takeaways

Compliance with RMiT policy is mandatory for all financial institutions operating under the jurisdiction of Bank Negara Malaysia. Failure to comply may result in penalties, fines, or regulatory sanctions, which can damage the institution’s reputation and financial stability.

By adhering to RMiT policy requirements, financial institutions can strengthen their security posture and resilience against evolving cyber threats and vulnerabilities.

This fosters trust and confidence among customers, investors, and stakeholders, enhancing the institution’s reputation and competitiveness in the market.

Overall, compliance with Bank Negara Malaysia’s RMiT policy is essential for financial institutions to uphold regulatory compliance, mitigate technology-related risks, enhance security, maintain customer trust, ensure operational continuity, and mitigate legal and reputational risks in an increasingly digital and interconnected financial landscape.