Malaysia’s Financial Institutions Face Steep Climb to Meet Stricter RMiT Cybersecurity Rules

Malaysia’s financial institutions (FIs) are grappling with the heightened demands of Bank Negara Malaysia’s (BNM) updated Risk Management in Technology (RMiT) policy, a regulatory framework aimed at fortifying cybersecurity, third-party risk management, and operational resilience. The policy, whose latest revisions came into force in mid-2023 and mid-2024, imposes more stringent safeguards and reporting obligations. A November 2024 Exposure Draft signals even broader application, extending requirements to smaller institutions and non-bank market participants.

At the heart of the challenge is the mandatory adoption of advanced security measures, such as multi-factor authentication (MFA) for high-risk transactions and the shift to zero-trust architecture (ZTA). While these steps can significantly reduce cyber threats, many Malaysian banks are hindered by legacy core banking systems ill-suited for seamless integration. The transition to ZTA, in particular, demands extensive infrastructure upgrades, micro-segmentation, and real-time threat analytics — capabilities beyond the current reach of many smaller players.

RMiT Cybersecurity Rules

Cloud security governance is another sticking point. BNM’s rules require meticulous due diligence on cloud service providers, enforcing strict standards on data localization, encryption, and accountability under shared responsibility models. Given the opaque nature of some cloud environments, in-house teams often lack the expertise to assess residual risks effectively.

Third-party risk management (TPRM) rules are tightening, with continuous monitoring now on the table. Traditional manual audits and annual reviews will no longer suffice, forcing a move toward automated oversight of vendor cybersecurity postures. Without such systems, FIs risk compliance gaps, operational vulnerabilities, and reputational damage.

Incident reporting rules are similarly uncompromising, mandating near-immediate notifications to BNM, annual cyber drills, and thorough post-incident reviews. The Exposure Draft’s provisions could further compress reporting timelines and raise the bar for operational resilience.

Structural constraints

These requirements collide with structural constraints — skills shortages in cybersecurity, outdated IT infrastructure, and budget pressures. Smaller institutions face especially steep trade-offs between investing in compliance and pursuing other strategic initiatives. Many lack board-level expertise on technology risk or the in-house capacity to design and execute large-scale upgrades.

The regulatory burden is compounded by overlapping rules from other authorities like the Securities Commission. Experts argue that mere box-ticking will not suffice; FIs must embed RMiT compliance into long-term strategies that enhance resilience and customer trust.

Industry consultants, such as Capco Malaysia, see an opportunity to bridge capability gaps, offering phased modernization, regulatory intelligence, and AI-driven TPRM tools. Institutions that embrace RMiT as a strategic advantage — not just a compliance exercise — could strengthen market positioning while mitigating emerging risks from AI, blockchain, and open banking. Source: Capco

Business News