The Trigger
A BNM Risk Management in Technology regulatory requirement for incident preparedness exercises, combined with heightened threat activity across the Malaysian financial sector. The engagement was driven by a proactive decision from the organisation’s security leadership to test response capability at every level, to test response capability at every level, beyond the regulatory requirement.
The Relationship
The organisation’s Head of Information Security had worked with Theos at a previous employer and brought the relationship across when they moved. This engagement was not won through a procurement process. It was a professional endorsement. A senior security professional moved employers and brought Theos with them.
The Theos Approach
Executive-Level Tabletop
A facilitated incident scenario for senior leadership, covering decision-making under breach and operational disruption pressure. Scenarios were aligned to the BNM RMiT framework and the specific threat landscape facing insurance operators in Malaysia. Participants included Malaysian leadership and international parent company representatives. Theos engaged at board level and governance level simultaneously.
Technical-Level Tabletop
A separate exercise for the technical team and SOC, running the same incident scenarios at operational depth. Detection logic, escalation procedures, containment decisions, and regulatory notification timelines were all tested. Gaps identified at the technical level were documented with remediation recommendations.
BNM RMiT Alignment
Both exercises were structured to satisfy BNM RMiT regulatory requirements and produce documentation suitable for regulatory evidence. Theos produced post-exercise reports for each tier, with findings mapped to BNM RMiT obligations and remediation priorities ranked by risk.
"
Theos engaged credibly at board level and at SOC level in the same programme. The ability to do both simultaneously, and produce documentation that holds up to BNM examination, is what made the difference.
