Risk manager: Bank Negara Malaysia

When Covid-19 struck in early 2020, it didn’t take Bank Negara Malaysia long to realise that its zero-tolerance approach towards information leakage was not entirely workable with everyone working away from the central banks’ offices. Malaysia’s central bank is now in the final stages of a multi-year project to overhaul its previous binary framework and replace it with something much more nuanced.

“We realised that, if we were going to stick with zero risk tolerance, then we would either have to ask people not to connect to the internet at all or make a significant investment in making sure everything was properly protected. So, we shifted our thinking to developing protocols for managing security breaches should they occur,” says Beh Cheng Hoon, director of the central bank’s risk management department.

At first, taking a scalpel to the existing risk management framework that had been in place for so long was somewhat chaotic. Lockdowns caused by a hitherto unknown virus, Covid-19, was upending the financial world, and no-one really knew how to deal with it. But over time, the reform settled down into a more structured and carefully considered initiative.

Departments were asked to classify their information assets based on the potential damage a security breach could cause. “When working with departments, there are often requests for full protection of information. To strike a balance between protecting sensitive information and making it more accessible where appropriate, we follow a methodical approach that considers the level of protection required for each asset. This allows us to ensure that our approach to information security is both effective and efficient,” says Beh.

Information assets were assigned one of three categories. A high-priority information asset, where no leakage can be tolerated, includes files that contain state secrets or those where disclosure could damage the reputation of Bank Negara or Malaysia. Examples where only a very low risk of leakage can be tolerated, include specific details of the reserve portfolio, which the central bank prefers to keep private. The third category includes other information assets, where disclosure would be inconvenient but not materially damaging.

Building in resiliency

Having spent much of 2020 and 2021 assigning risk-tolerance thresholds to its information assets, the past 12 months have seen Bank Negara Malaysia developing and fine-tuning its resilience framework around these assets.

Files are now stored according to the risk priority that each has been assigned. When a staff member transfers a file to an external party, the central bank system will analyse it to see if it contains any information that should be protected. It will then notify the relevant department based on the level of threat that has been detected. “Upon receiving this notification, appropriate actions will be taken to investigate the matter, to determine if there was a legitimate reason for the information to be shared with the respective party,” says Beh.

At present, such notifications are being kept to a minimum while the respective information owner together with the risk management team try to weed out the false positives. “This involves close collaboration between the business and IT teams to ensure that the system accurately identifies and alerts on potential security threats while minimising the occurrence of false positives,” Beh says. 

Once the email notification system is fully up and running, Beh’s team plans to move over to full blocking of certain information assets, so that they cannot be sent out anymore. Corrective action will also be introduced as part of the process, to warn members of staff about the need to safeguard information assets, or to discipline them in cases where a security breach has been deliberate or malicious.

Far-reaching change

Bank Negara Malaysia is not the only central bank to upscale its risk management architecture in the wake of Covid-19. Indeed, the Malaysian central bank has sought to learn from what others have been doing.

However, while other central banks have taken targeted measures to guard against information leaks within mission-critical units, it is less usual to try to introduce the framework throughout the institution. To guarantee consistency throughout the organisation, an officer from the risk management team is appointed to each department to serve as an ambassador for the restructuring.

“We had to make sure that every single department was behind this reform,” says Beh. “They are the ones that are driving the change, establishing the key risk indicators and ultimately taking ownership of the risk appetite statement.”

Such a sweeping change would not have been so successful if it didn’t have buy-in from the most senior echelons of the central bank. “The risk appetite must be visible to everyone within the organisation, with a very clear message from the top. Only then can things be properly implemented,” says Beh.

The Operational Risk Management Committee, chaired by a deputy governor, Jessica Chew Cheng Lian, is the key oversight committee within the central bank for the new information security management system. This committee reports directly into the Risk Management Committee, which in turn is chaired by governor, Nor Shamsiah Mohd Yunus.

Raising awareness

Raising awareness through the bank, and educating members of staff within the various departments, has been critical to the success of the project. “In 2022, we spent a lot of time engaging with each of the departments to help them understand when an information transfer is a breach and when it is not a breach, and to reach some common understanding of what the different classifications of risk appetite mean,” Beh says.

Beh's team felt the best way of doing this was to create a series of videos: one to explain what information security is; one to improve the understanding of how it should be protected; and a third to highlight the dos and don’ts of file storage. Once staff members have watched the videos, they have to complete a short questionnaire to prove they have understood the contents.

On top of this, the risk management team also meets with departmental heads quarterly to discuss any particular issues that had arisen because of the new system. “Risk management may not be the priority of all departments because they have their own KPIs to achieve,” says Beh. “This is where the risk management department has to put in the effort to engage and raise awareness throughout the entire organisation.”

The Central Banking Awards 2023 were written by Christopher Jeffery, Daniel Hinge, Dan Hardie, Joasia Popowicz, Ben Margulies, Riley Steward, Jimmy Choi and Blake Evans-Pritchard.