Bank Negara Malaysia’s (BNM) revised Risk Management in Technology (RMiT) policy document, issued 28 November 2025, introduces the most significant update to Malaysia’s financial sector cybersecurity requirements in years. For banks, insurers, payment operators, and other regulated financial institutions in Malaysia, compliance is not optional: all requirements marked “S” (Standard) carry direct legal force, with enforcement action available against the institution, its directors, and officers personally (RMiT para 1.3).
This article sets out what the November 2025 update requires, where institutions typically fall short, and how THEOS Cyber maps its services to RMiT’s mandatory obligations.
IMPORTANT: Financial institutions must submit a gap analysis and action plan to BNM within 90 days of the 28 November 2025 issuance date (S 18.1).
What the BNM RMiT November 2025 Update Changes
The 2025 revision goes beyond incremental updates. It mandates a shift from compliance-based oversight to proactive, risk-informed resilience. The update sharpens requirements on board accountability, cyber resilience, and the governance of emerging technologies including artificial intelligence.
Key themes of the 2025 update include:
-
- Zero-Trust Principles (S 11.3d): Institutions must adopt zero-trust architecture and defence-in-depth controls to protect infrastructure against evolving threats.
- Board-Level Accountability (S 8.1–8.5): The Board bears explicit, documented responsibility for approving cybersecurity strategic plans, reviewing technology risk appetite, and engaging directly in cyber drills.
- Emerging Technology Governance (Appendix 9): Institutions deploying new technologies, including AI systems, must conduct structured risk assessments, implement adequate controls, and monitor on an ongoing basis before and during production use.
- Operational Resilience (S 10.31–10.32): Prescriptive time-bound obligations on capacity planning, service degradation detection, customer impact measurement, and stand-in processing capability by 30 September 2027.
- Public Trust (S 11.1): Strengthening defences to combat sophisticated digital crimes and maintain the stability of Malaysia’s financial system.
The In-House Compliance Burden for Malaysian Financial Institutions
Meeting the “S” requirements of RMiT 2025 entirely in-house is a significant operational and financial undertaking. Cybersecurity for banks in Malaysia now demands sustained investment across four areas:
- 24/7 Security Operations Center (SOC) Operations: Industry benchmarks indicate 8–12 specialised analysts are required to maintain full shift coverage, including weekends and public holidays.
- Enterprise-Grade Technology: Investing in Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), and AI-driven threat hunting tools is capital-intensive.
- Specialist Talent: Recruiting and retaining certified cybersecurity professionals in a competitive talent market is an ongoing management burden.
- Multiple Mandatory Exercises: The triennial red team exercise, annual penetration tests, quarterly vulnerability assessments, annual cyber drills, and emerging technology risk assessments each require distinct specialist capabilities.
For many institutions, the most efficient path to BNM RMiT 2025 compliance is partnering with a licensed managed security services provider in Malaysia rather than building all capabilities in-house.
RMiT 2025 Requirement Mapping: THEOS Cyber Managed Security Services
| RMiT Requirement | THEOS Service | Citation | What This Means for Your Institution |
|---|---|---|---|
| 24/7 SOC with competent resources for continuous proactive monitoring and timely detection of anomalous activities | MTDR | S 11.9; Appendix 5, Part C | Immediate access to a fully-staffed 24/7 managed SOC, satisfying the most resource-intensive RMiT mandate without headcount expansion. |
| Quarterly vulnerability assessments and annual intelligence-led penetration tests across all critical systems and digital services | VAPT | Appendix 5, Part D, paras 2–3 | Structured quarterly scanning and extreme-scenario penetration testing aligned to BNM’s mandatory cadence, conducted by suitably accredited testers. |
| Realistic adversarial simulation attack on infrastructure at least once every three years | Red Teaming | S 11.6 | Adversarial simulation using real-world Tactics, Techniques and Procedures (TTPs) with minimal advance disclosure, testing true institutional resilience. |
| Comprehensive Cyber Incident Response Plan (CIRP); independent compromise assessment of critical systems every three years | DF/IR | S 11.13; Appendix 5, Part D, para 6 | Expert-led root-cause analysis, forensic evidence preservation, and mandatory independent compromise assessments delivered by a qualified external party as required by BNM. |
| Collect, analyse and evaluate cyber threat intelligence including dark web and social media monitoring for data breach indicators | MTDR | S 11.10 | Continuous threat intelligence feeds — including dark web monitoring — enabling institutions to detect emerging threats before they materialise as incidents. |
| Annual cyber drill exercise with board and senior management participation; board members must receive regular technology training and updates | MTDR + DF/IR | S 11.16; S 15.3; S 8.4 | THEOS Cyber facilitates annual cyber drills and provides executive-level briefings and board reporting, enabling documented demonstration of active oversight to BNM examiners. |
| Financial institutions must govern the risks of emerging and new technologies, including AI systems deployed in production, with adequate testing, monitoring, and risk assessment | VAPT + AI Assessment | Appendix 9; S 9.2(c) | THEOS Cyber supports institutions in meeting the pre-production testing, ongoing monitoring, and risk assessment requirements that RMiT imposes on all emerging technologies, including AI systems in production environments. |
Frequently Asked Questions: BNM RMiT 2025 Compliance
The following questions address common queries from compliance teams, CISOs, and board members at Malaysian financial institutions navigating the November 2025 RMiT update.
What does the 120-minute Maximum Tolerable Downtime rule mean under RMiT 2025?
Under RMiT S 10.32, critical systems must not exceed 120 minutes of unplanned downtime per incident, with a cumulative annual limit of 4 hours. This is a service availability requirement affecting system design, incident response speed, and recovery capability — not just monitoring. Institutions must ensure their underlying architecture and recovery plans independently meet the standard. THEOS Cyber 24/7 Managed SOC provides continuous monitoring and rapid detection to help contain incidents before the MTD clock expires.
What is a Compromise Assessment and why does RMiT require one every three years?
A Compromise Assessment looks for evidence that a threat actor is already inside the network. BNM requires an independent external party to conduct this on critical system infrastructure at least once every three years (Appendix 5, Part D, para 6). Unlike a penetration test that identifies potential vulnerabilities, a Compromise Assessment hunts for active or historic intrusions that automated tools routinely miss. THEOS Cyber provides the independent technical expertise and forensic analysis required by BNM.
Does the Board of Directors need to be actively involved in cybersecurity under RMiT 2025?
Yes. RMiT 2025 imposes specific, mandatory obligations on the Board — not just senior management. The Board must: approve and review IT and cybersecurity strategic plans covering a minimum three-year horizon (S 8.2); allocate dedicated time to discuss cyber risks at the strategic, reputational and liquidity level (S 8.4); participate in cybersecurity awareness and training programmes (S 8.4c); and receive the results of the annual cyber drill in a timely manner (S 11.16). These are Standard requirements that BNM examiners will assess. THEOS Cyber supports board-level obligations through two capabilities: regular executive-level cyber briefings that translate technical risk into strategic and reputational terms the board can act on; and facilitation of the mandatory annual cyber drill, including scenario design, exercise conduct, and post-exercise reporting to the board.
How should Malaysian financial institutions govern AI systems under RMiT 2025?
RMiT already imposes governance obligations on AI and other emerging technologies through Appendix 9, before any dedicated AI legislation takes effect. Appendix 9 requires institutions to conduct structured risk assessments before deploying any new technology in production, implement adequate testing against service quality and information security objectives, and maintain ongoing monitoring to detect and mitigate risks as they emerge. Institutions must also be prepared to suspend use of emerging technology applications when extreme adverse events arise. THEOS Cyber Vulnerability Assessment and Penetration Testing (VAPT) and AI Assessment service supports institutions in meeting these obligations: covering pre-production security testing, ongoing monitoring for compliance, and risk assessment documentation that demonstrates regulatory readiness.
Contact THEOS Cyber
THEOS Cyber is a pure-play managed security services provider (MSSP) with service offerings aligned with BNM RMiT 2025 compliance requirements. Our MTDR, VAPT, Red Teaming, DF/IR services are mapped directly to RMiT’s mandatory “S” standards.
Contact THEOS Cyber to discuss how your organisation maps to BNM’s November 2025 requirements.
