Bank Negara Malaysia issues Policy Document on Business Continuity Management

Following on from the issue of an exposure draft in December 2021, Bank Negara Malaysia (‘BNM’) issued the policy document on Business Continuity Management (‘BCM Policy Document’) on 19 December 2022. The BCM Policy Document will come into effect on 19 December 2023 (except for requirements on testing of a disaster recovery plan specified in paragraph 9.48 which will come into effect on 19 December 2025).
The BCM Policy Document applies to licensed banks, licensed investment banks, licensed Islamic banks, licensed insurers, licensed takaful operators, prescribed development financial institutions, operators of designated payment systems and approved issuers of electronic money (individually an ‘FI’ and collectively ‘FIs’).
The BCM Policy Document seeks to: 
  • facilitate the development and implementation of a robust business continuity management (‘BCM’) framework, policies and processes by FIs;
  • strengthen the capacity and preparedness of FIs to respond and recover from operational disruptions; and
  • preserve the continuity of critical business functions (‘CBFs’) and essential services within a specified timeframe in the event of an operational disruption. 
To achieve the aforesaid objectives, the BCM Policy Document requires each FI to, among others: 
  • undertake risk assessment (‘RA’) to identify potential risks that may cause business disruptions and result in the FI’s inability to fulfil its business obligations;
  • conduct a business impact analysis (‘BIA’) to assess the potential impact of various disruption scenarios to the FI;
  • identify CBFs based on the outcomes of the RA and BIA;
  • determine, based on the RA and BIA, the business continuity objectives of its CBFs, including the maximum tolerable downtime (MTD) and recovery time objective (RTO);
  • develop and establish a comprehensive recovery strategy that includes a crisis management plan (‘CMP’), business continuity plan (‘BCP’) and disaster recovery plan (‘DRP’) to guide recovery actions for all CBFs;
  • establish a committee (which is to be led by a member of the senior management and comprising members with relevant expertise) to be accountable for the development and implementation of the BCM framework;
  • establish a crisis management team (‘CMT’) comprising key representatives of senior management to make key decisions during a crisis;
  • formulate a crisis communication strategy and crisis communication plan as part of its CMP; and
  • establish its alternative site and recovery site that can be used if its business premises, infrastructure or systems supporting the CBFs become unavailable in the event of a disruption. 
An FI’s BCP must include contingency arrangements for the continued availability of essential services such as self-service terminals (e.g. automated teller machines (ATM) and cash deposit machines), online services (e.g. electronic banking, mobile banking, trading platforms, payment card services, money changing, fund transfers and electronic money services), call centres, issuance of guarantee letters for medical insurance or medical takaful coverage, claims processing and issuance and renewal of insurance policies and takaful certificates and authorisation, clearing and/or settlement of payment transactions.
The BCM Policy Document also sets out factors that are to be taken into consideration by an FI in performing the RA and BIA, determining its CBFs and the business objectives for CBFs, formulating the CMP, BCP, DRP and the crisis communication plan, and establishing its alternate site and recovery site. It also sets out the requirements for a regular review and testing of an FI’s BCM. FIs are also required to ensure their CMP, BCP and DRP provide for all outsourcing arrangements and comply with the relevant requirements in BNM’s policy document on Outsourcing.
The BCM Policy Document requires an FI to notify BNM of all non-cyber and cyber incidents in accordance with BNM’s prescribed templates via BNM’s centralised email system (or via alternative channels where notification through the centralised email is not possible) as soon as the FI is able to do so.
For non-cyber incidents, an FI must categorise the level of disruption (‘LoD’) that affect the CBFs based on the locality and notify BNM of such disruption based on the timelines corresponding with the LoD under paragraph 10.4 of the BCM Policy Document.
For all cyber incidents, an FI must notify BNM within two hours upon the confirmation of the disruption. ‘Confirmation’ (of the disruption) is clarified by BNM in the BCM Policy Document to mean ‘following a preliminary investigation to determine if the incident is cyber centric or originated from a cyber related root cause (e.g. ransomware, DDoS, data leak).’
In addition, the BCM Policy Document outlines the roles and responsibilities of the board of directors, senior management and the CMT in the implementation of the FI’s BCM framework. An FI may also establish a BCM function either as a standalone function or as part of other functions, whose responsibilities may include coordinating and facilitating the implementation, testing and review of the BCM function, reporting to the committee on the implementation and issues relating to the BCM framework and coordinating actions on business continuity and recovery in the event of a disruption.
When the BCM Policy Document comes into effect, it must be read together with the documents set out in paragraph 6.1 and will replace the documents set out in paragraph 7.1 thereof.
Alert by Lee Ai Hsian (Partner) of the Banking and Finance Practice and Grace Teo Shi Kay (Senior Associate) of Corporate Practice of Skrine.

This alert contains general information only. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. For further information, kindly contact