Boards to Move Beyond Passive Oversight into Active Governance in the Latest BNM's RMiT Exposure Draft

Hello again,

The latest RMiT Exposure Draft (ED) 2024 is out, and I’ve taken a deep dive into it, particularly Section 8 on the board's roles and responsibilities. If you think this is just another regulatory update, think again. This ED represents a pivotal shift in how technology and cyber risks are governed at the board level. Let's break it down.

What’s New?

1. Customer Impact Tolerance - A Game Changer
   One of the most significant changes is the introduction of customer impact tolerance. Senior management is now required to establish how much disruption to essential services customers can tolerate. The board’s job? Review this assessment and ensure it feeds into the organization’s crisis management plan.

   This signals a major shift towards customer-centric resilience planning. No longer is resilience just about uptime or recovery times; it’s about understanding the customer’s breaking point and baking that into FIs’ strategies.

2. Cyber Risk Discussions - Now with Dedicated Time Slots
   In the current RMiT policy document, boards were asked to “discuss” cyber risks. The 2024 ED takes it further, mandating that boards "allocate sufficient time" for these discussions. This includes exploring the strategic, reputational, and liquidity risks tied to cyber incidents. Translation? FIs can’t just lump cybersecurity into the “any other business” section of board meetings. Focused, meaningful conversations are the new standard.

3. Uniform Standards for All
   Say goodbye to the Large Financial Institution (LFI) distinction. This ED removes size-based exemptions. Whether you’re a small player or a financial giant, the expectations are the same. This levels the playing field and ensures even smaller institutions are held to robust standards, enhancing the sector's overall resilience.

4. Digital Fraud Management - A Rising Priority
   With digital fraud skyrocketing, the ED introduces a dedicated section on digital fraud management. Boards must now oversee enhancements to the Cyber Resilience Framework (CRF) to tackle evolving fraud tactics.

   The message is clear: managing fraud isn’t just an operational task; it’s a strategic imperative, and boards need to take an active role.

5. Independent Compromise Assessments
   FIs are now required to perform independent compromise assessments of their critical systems every three years (an exclusive requirement for LFIs in the current policy document albeit instead of being annually now reduced to every three years). The board must ensure these assessments are carried out and that findings are escalated promptly. This raises the bar on transparency and accountability. It’s not enough to rely on internal checks—external validation is a must.

What’s Stayed the Same?

While the 2024 ED introduces significant changes, some foundational responsibilities remain consistent:

• Setting the Technology Risk Appetite: Boards still define and approve the institution’s tech risk appetite, ensuring it aligns with the broader risk framework.

• Strategic Oversight: The responsibility for overseeing IT and cybersecurity strategic plans, as well as implementing the TRMF and CRF, remains intact.

• Regular Reviews: Both the 2023 policy and 2024 ED emphasize the importance of periodically reviewing IT policies and frameworks to keep them relevant in a changing threat landscape.

• Board Expertise & Committees: The need for a board-level technology oversight committee and ensuring board members possess adequate technology expertise remains unchanged.

• Audit Function Oversight: The Board Audit Committee (BAC) continues to play a key role in overseeing the effectiveness of the internal technology audit function.

My Take

The 2024 ED is more than an incremental update - it’s a call for boards to move beyond passive oversight into active governance. The focus on customer impact tolerance reflects a broader trend: customers are at the heart of resilience. Similarly, the push for dedicated cyber risk discussions signals that cybersecurity can no longer be an afterthought.

These changes come at a time when cyber threats are not just about data breaches but also about operational disruptions and fraud that directly impact customer trust. Regulators are making it clear: the board is accountable.

For those of us in the cybersecurity space, this is an opportunity to engage the board meaningfully. It’s no longer about scaring them with technical jargon or worst-case scenarios. It’s about framing cyber risks in terms they understand - customer trust, business continuity, and regulatory compliance.

As always, I’d love to hear your thoughts. Are these changes a step in the right direction? Or do they risk overburdening boards? Drop me a note, and let’s discuss!

Stay safe, stay resilient,
Sivanathan