This article first appeared in Digital Edge, The Edge Malaysia Weekly on January 8, 2024 - January 14, 2024

In the dynamic and ever-changing realm of today’s digital landscape, the importance of information security cannot be overstated. As organisations increasingly depend on technology to drive their operations, the looming spectre of cyberthreats remains an unrelenting and pressing challenge.

For financial institutions (FIs), in particular, information security goes beyond protecting sensitive customer data; it encompasses safeguarding the stability of the global financial system. To that end, a risk-based approach, assessment and management strategy are indispensable to mitigating the threats and vulnerabilities inherent in this industry.

In a move to bolster technology risk management practices, Bank Negara Malaysia in June 2023 announced updates to the Risk Management in Technology (RMiT) policy. This updated policy serves as a guiding beacon for FIs to strengthen their cloud risk management capabilities.

These updates are driven by two critical factors: to provide an alternative for FIs to adopt cloud computing for critical systems and the imperative to those already using public cloud computing to embrace a risk-based approach to their cloud activities. These shifts will undoubtedly result in a massive expansion of the attack surface, arising from the usage of cloud and third-party providers — all facets that the RMiT guidelines address.

Cognisant of this, cybersecurity risk assessment offers a useful examination of the cyber risk and digital attack surface of a company. Regarded as an insightful tool, the fundamental components of risk assessment empower chief information security officers (CISOs) and security operations centre (SOC) teams to undertake decisions that will ultimately diminish the cyber risks confronting their organisation.

Effective governance is a cornerstone of ensuring compliance with the RMiT policy. To that end, it is vital for boards of FIs to institute frameworks and establish systems to oversee the company’s IT and cybersecurity strategic plans. This includes the appointment of a pivotal stakeholder to take the lead in the overall implementation of these plans: the CISO.

The CISO’s role will therefore evolve and transcend beyond traditional cybersecurity concerns, encompassing the oversight of service level agreements and the assessment of risks associated with using cloud and third-party assets.

Empowering the CISO with comprehensive risk-based data from a single source of truth is crucial for making informed decisions and proactively addressing emerging threats.

The updated RMiT policy permits FIs to leverage the public cloud for critical applications, including banking and finance software, interbank transfers, mobile banking and payment systems.

However, this freedom comes with constraints. FIs must conduct a formal cloud security risk assessment and submit it to Bank Negara before moving critical systems to the cloud.

This requirement underscores the need for a cautious approach to cloud usage, considering its implications for data security and operational integrity. When migrating to the cloud, organisations can implement the following best practices:

•     Infrastructure as Code (IaC): Utilise IaC tools to build cloud environments and templates that adhere to the risk management policies provided. These templates can be shared with regulators to demonstrate compliance, as and when requested.

•     Managing security for third-party code: Many cloud-based codes rely on external libraries provided by third parties. Hence, mitigating potential risks that come with utilising external services early is crucial for high-quality, compatible and secure codes.

•     Enhancing cloud detection and response: Given the increasing complexity of cyberattacks, SOCs must correlate real-time data by collecting cybersecurity information from various sources, including cloud detection and response solutions. This enhances incident response capabilities by providing valuable context.

The RMiT policy has redefined the scope of SOCs, expanding their role significantly. While their core responsibilities remain 24/7 monitoring, threat hunting and vulnerability assessments, they now wield a broader mandate: detecting and responding to threats across on-premises, cloud and third-party assets.

This shift comes against the backdrop of the pervasive issue of alert fatigue, arising from the overwhelming volume of alerts and siloed viewpoints.

To address this, organisations can leverage cybersecurity platforms such as Trend Vision One, which provides SOC analysts with a single source of truth that streamlines the correlation of incidents and reduces investigation times. This platform collects data from various sources, including email, web, network, endpoints, servers and the cloud, providing a more complete attack history and enabling quicker and more accurate responses.

Maturing SOCs is also crucial to effectively combat evolving cyberthreats in the cloud era. Achieving this requires a concurrent focus on continuous training, strategic technology investments and alignment with the organisation’s risk posture.

Traversing the evolving RMiT policy framework is by no means a small feat. However, prioritising cybersecurity and embracing changes in the technology landscape will place FIs in a stronger position to secure the resilience and security of their operations.

This journey demands adaptability, collaboration and a steadfast commitment to safeguarding the financial sector against emerging cyberthreats.

In this landscape, strategic partnerships with reliable cloud security providers can help FIs meet regulatory requirements while ensuring they have the right tools and effective oversight for risk management.

However, it is crucial to avoid complete delegation of cloud management; the board and senior management must proactively retain comprehensive oversight of its cloud infrastructure.

It goes without saying that the role of the CISO as a key stakeholder in this risk-based approach is crucial. Their leadership is paramount in safeguarding FIs and their customers from cyberthreats, fraud and regulatory non-compliance.

As cyberattacks continue to grow in sophistication and volume, the role of CISOs is more vital than ever, and their ability to adapt to evolving threats will define the industry’s security posture.

Goh Chee Hoh is managing director of Trend Micro Malaysia, a Japanese multinational cybersecurity software company

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's App Store and Android's Google Play.