Introduction
If you are reading this, you likely have an understanding of what Risk Management in Technology (RMiT) is and how crucial this piece of regulatory policy is for cloud adoption by Financial Institutions (FI) in Malaysia. With the promotion of the Cloud Technology Risk Assessment Guideline (CTRAG) to a full-fledged RMiT appendix in June of 2023, we take a deep dive into the ins and outs of the RMiT cloud compliance requirements on your road to cloud adoption and focus on the impact and significance of recent changes in Bank Negara Malaysia’s (BNM) wording.
At Sourced we often remind our customers of the following: “You cannot outsource your risk management decisions.” This is relevant in the context of this blog as we analyse and put some structure around RMiT and its implications. It is important that each FI build its own interpretation of, and stance on, any regulatory or compliance requirement. Being able to articulate this understanding is the first step towards formulating a compliant strategy in response to these requirements.
The concept of risk assessment is pervasive throughout RMiT for obvious reasons. It is however important to note that in relation to cloud adoption, BNM puts a strong emphasis on each FI assessing the inherent risks of its cloud adoption use cases and architectures, as well as its specific implementation of risk mitigations. In ‘shared responsibility model’ terms, this means the focus is on the risks owned by the ‘Cloud User’ rather than those owned by the ‘Cloud Provider.’
Some Key RMiT Terminology
- Standard (‘S’) vs. Guidance (‘G’): All paragraphs in part B and C of RMiT are denoted by ‘S’ when intended as a standard, obligation or requirement by BNM, or ‘G’ when intended as guidance, or context – these help frame the various requirements and control objectives for the reader. RMiT has implemented a thoughtful indicator that we believe could be valuable for other regulators to consider and adopt.
- “Critical System” refers to any application system that supports the provision of critical banking, insurance or payment services, where failure of the system has the potential to significantly impair the financial institution’s provision of financial services to customers or counterparties, business operations, financial position, reputation, or compliance with applicable laws and regulatory requirements.
- “Higher-risk public cloud services” refers to cloud services involving the processing or storage of customer information, or if data will be transmitted across borders.
Breaking Down the Compliance Requirements
To make sense of the RMiT cloud compliance requirements, we will be referring to them as part of 5 groups of requirements. The RMiT paragraphs and sections referenced here form the key parts of the document in relation to cloud adoption:
a. General cloud adoption risk assessment: The top-down, organisation-wide assessment every FI needs to conduct to demonstrate a full understanding of inherent public cloud risks (S 10.49)
b. System-level risk assessments: Risk assessments the FI must conduct around each of its critical systems prior to migration (G 10.50) or non-critical systems as and when directed by BNM (G 15.4)
c. Third-party pre-implementation review: This is required when migrating a critical system if ‘higher-risk public cloud services’ are involved, and should cover areas listed in Appendix 10 and Part A of Appendix 9 (S 15.1)
d. Consultation and notification: Steps required prior to migrating a system to the cloud (Section 15)
e. Gap analysis: A summary of compliance gaps and remediation plans each FI should produce and maintain (Section 16)
f. Cloud adoption roadmap: A roadmap each FI should maintain and submit as part of the annual outsourcing plan (S 15.5)
Applicability of the Updated RMiT
When do all these changes kick in for those currently on the path to cloud adoption?
BNM allows for a transition period (until 31 May 2024) during which all financial institutions except licensed digital banks or licensed Islamic digital banks can continue to follow the previous RMiT version (June 2020). The paragraphs and sections mentioned in this blog (and Appendix 10) come into effect on 1 June 2024.
Summary of Changes
The 2023 RMiT revision reflects a sharpening of BNM’s focus on critical systems and ensuring FIs conduct appropriate due diligence in the buildup to a migration, whereas the requirements for non-critical systems are now somewhat less stringent.
Furthermore, the addition of an entire, net-new Section 15 titled “Consultation and Notification related to Cloud Services” helps clarify the regulator’s expectations in engaging with them.
Let’s highlight some of the key changes impacting the path to compliant cloud adoption:
a. General cloud adoption risk assessment
The scope of this assessment now includes the location where cloud services will be hosted, including potential geo-political risks and legal risks that may impede compliance with any legal or regulatory requirements. (S 10.49)
b. System-level risk assessments
When assessing Critical Systems, the scope of risks to consider has been expanded to the newly introduced Appendix 10 – Note that this paragraph is labelled as a guideline and uses the term “should”, suggesting there is some flexibility in applying the risk framework. (provided the FI is prepared to justify any deviation from the measures outlined) (G 10.50)
c. Third-party pre-implementation review
This requirement only applies to ‘higher-risk cloud services’ (see definition above) and is no longer limited to use cases such as e-banking, Internet insurance and Internet takaful as previously. (S 15.1)
d. Consultation and notification
First time adoption for critical systems (S 15.1): With the above requirements fulfilled, i.e., the general cloud adoption risk assessment (a), system-level risk assessment (b) and third-party pre-implementation review if applicable (c), FIs should:
- First, provide confirmation from the CISO or the board-level committee (as per 8.4) of the FI’s readiness to adopt cloud for critical systems (using the template provided in Appendix 8)
- Then, consult with BNM prior to first time adoption for critical systems
For subsequent adoptions for critical systems (S 15.2) provided that:
- 15.1 has been adhered to for the initial critical system migration with no concerns raised by BNM
- The FI has enhanced its technology risk management framework to address cloud risks
- Obtained independent assurance on the framework and;
- Provided assurance to BNM on the enhanced incident response to cater for adverse/unexpected events
- Then: The FI should update and submit all information required by 15.1
Notification for non-critical systems is no longer required, but system-level risk assessments for these should still be done based on the scope laid out in 10.49 and made available for review upon request. Note that as per 15.4 BNM may ask the FI to comply with 15.1 and 15.2 for a non-critical system but no prior consultation or notification is required.
e. Gap analysis
FIs already on the cloud or with a migration in progress should have submitted a gap analysis against revised the RMiT requirements by end-Aug 2023. (S 16.1)
With the revised wording, the gap analysis becomes a “continuous” exercise with an annual report to be made available to BNM upon request.
f. Cloud adoption roadmap
Fis should continue to include the cloud adoption roadmap for both critical and non-critical systems in the annual outsourcing plan submitted to BNM and ensure that the general cloud adoption risk assessment (a) is made available for review upon request. (S 15.5)
Putting it all together: Process Flowchart
What Can we Infer from this Revision?
While BNM has clearly worked to elaborate a more thorough cloud risk framework to be used by FIs in Appendix 10, it has also streamlined requirements in a couple of ways:
- Simplified consultation and notification procedure
- No systematic submission for the migration of non-critical systems
The changes also highlight an expectation that FIs implement learnings from their initial cloud migration by enhancing risk management practices and their incident response capabilities specifically with cloud risks in mind, by the time they start their second critical system migration.
Overall, we feel the changes brought by the 2023 RMiT revision show progressive thinking on part of BNM and a supportive attitude towards public cloud adoption. And while it brings a more thorough framework against which FIs need to understand, evaluate, and mitigate cloud risks, it also provides a simplified path towards compliant cloud adoption, one we can embark on with clarity and confidence.
Compliance Mapping as a Key Enabler
The Sourced methodology advocates for a ‘Compliance Mapping’ exercise as key part of compliant cloud adoption. Given that the requirements from BNM are likely to overlap with your own internal security requirements as well as other standards, assurance frameworks and industry best practices you are trying to align with, it is crucial to map all of these frameworks against one another to make sense of your compliance landscape. In addition to providing a consolidated framework to be consumed by technical and compliance teams, it will help identify control gaps as you mature your cloud environment and will serve as the foundation for your cloud compliance monitoring.
Sourced has done countless mapping exercises for highly regulated customers and one thing that stands out is how once size does not fit all; beyond the compliance landscape, each organisation’s needs, means, control maturity and strategy tend to result in a bespoke framework -one fit for purpose and designed with a long-term cloud security strategy in mind.
Take Your Organisation’s Cloud Compliance to the Next Level
Contact us for a consultation on how we can help you improve your organisation’s cloud compliance.
Get In TouchDisclaimer
This blog post is intended for general guidance only and is provided on an “as is” basis without warranty of any kind. As we are not legal or compliance advisors, this guidance is based on our interpretation of BNM regulation and should not be taken as final. Sourced Group does not guarantee the completeness, reliability, or accuracy of the information contained herein and you should therefore consult your compliance team and/or legal counsel.
Max is a lead consultant at Sourced and brings over 15 years of extensive experience in security and risk management. His expertise lies in identifying and solving complex security and compliance issues, both at technology and process level.
