For financial institutions operating in Malaysia, Bank Negara Malaysia's Risk Management in Technology (RMiT) policy is the central framework governing technology and cyber risk. Understanding its security testing requirements is essential. This article presents only verified facts.
What RMiT Is
Bank Negara Malaysia's (BNM) Risk Management in Technology policy was introduced to address cyber-risk exposures in Malaysian financial institutions. The policy document went into effect on 1 January 2020 and sets out the central bank's requirements for financial institutions' technology risk management. It covers governance, technology risk management, cybersecurity, technology operations, audit, and internal training.
The most recent version of the RMiT policy was issued on 28 November 2025, introducing enhanced requirements across areas including cloud services, digital fraud management, cryptographic controls, and service availability, and extending RMiT standards to more institutions.
The Penetration Testing Requirement
Annual penetration testing is mandatory under RMiT. Critically, RMiT specifies that penetration tests must be conducted by independent, qualified assessors — meaning internal IT teams cannot simply test their own systems. Organisations must engage a qualified third-party VAPT provider.
Beyond the annual baseline, testing should be triggered after major system changes — any significant new application, infrastructure change, or cloud migration — and after a security incident, to verify the attack vector is closed. Lighter-weight vulnerability assessments are expected at more frequent intervals between annual penetration tests.
A Common Compliance Gap
Industry experience indicates that many Malaysian financial institutions fall short by testing only internet-facing systems and skipping internal network assessments and application-layer testing. RMiT expects comprehensive coverage — internet-facing systems, internal networks, and the application layer all warrant testing. Narrow scoping is a frequent source of examination findings.
Incident Reporting Timelines
RMiT establishes strict incident reporting obligations. Based on the framework, initial notification to BNM must be made within a very short window of detection, followed by a full incident report and a subsequent post-incident review report. The precise timelines should be confirmed against the current policy text, but the direction is clear: rapid notification and structured follow-up reporting.
RMiT and PDPA Operate Together
It is important to note that RMiT requirements operate alongside Malaysia's Personal Data Protection Act (PDPA). Financial institutions must address both frameworks simultaneously — RMiT for technology risk and the PDPA for personal data protection.
How Simuna Infosec Helps
As an independent, qualified security specialist, Simuna Infosec provides exactly the third-party penetration testing that RMiT mandates. Our human-led methodology delivers comprehensive coverage across internet-facing systems, internal networks, and the application layer — directly addressing the most common RMiT scoping gap. We currently secure infrastructure for a leading telecom operator in Malaysia, giving us direct familiarity with the local enterprise environment, and our reports provide the verifiable, timestamped evidence that withstands BNM examination.
*This article reflects publicly available information as of mid-2026. Regulatory details and precise timelines evolve; consult the current RMiT policy and qualified legal counsel for compliance decisions.*