The relevant RMiT clauses
Bank Negara Malaysia's Risk Management in Technology (RMiT) Policy Document sets the regulatory standard for technology risk management at Malaysian financial institutions. The cyber-resilience chapter contains a set of clauses (paragraphs 10.49 through 10.54) directly relevant to intelligence-led testing.
Paragraph 10.49 expects financial institutions to conduct penetration testing on critical systems using intelligence-led techniques that emulate the tactics, techniques and procedures of relevant threat actors. The surrounding clauses address related expectations: scoping (10.50), provider independence and competence (10.51), reporting to senior management (10.52), regulator engagement (10.53) and tracking remediation through to closure (10.54). The clauses are read together — a compliant programme satisfies all of them.
The specific wording, paragraph numbering and any subsequent updates to the Policy Document take precedence over any summary. Treat this article as a planning aid and refer to the published Policy Document at bnm.gov.my for the binding text.
iCAST methodology
The Hong Kong Monetary Authority's intelligence-led Cyber Attack Simulation Testing (iCAST) framework is the closest international template for what BNM RMiT 10.49 contemplates. iCAST mandates: independent CTI provider scoping, threat-scenario design, red-team execution with no advance blue-team notification, scope-aligned objective sets, full kill-chain coverage, and a structured blue-team replay. The methodology is the de facto reference for Asian regulators.
TIBER-EU comparison
The European Central Bank's Threat Intelligence-Based Ethical Red Teaming (TIBER-EU) framework is the most thoroughly documented international precedent. TIBER-EU breaks intelligence-led testing into three phases: Preparation, Testing and Closure. Each phase has formal milestones, independent control (TIBER Cyber Team within the regulator), and a standardised reporting template.
TIBER-EU is not directly applicable in Malaysia, but the structure maps well onto BNM expectations. Many Malaysian financial institutions structure their RMiT 10.49 programme on TIBER-EU lines because the methodology is open, well-tested, and easy to defend to examiners. CBEST (Bank of England), AASE (MAS) and iCAST (HKMA) are similarly aligned.
Required cadence
RMiT does not prescribe a fixed interval. The expectation is that frequency reflects the institution's threat profile, criticality and changes in its technology landscape. In practice, large Malaysian banks run a full intelligence-led exercise on an 18-24 month cycle, with scoped red-team simulations annually and after major architecture changes. Smaller licensed entities and DFIs may run the exercise less frequently, justified by risk profile.
Cadence below the 24-month mark is hard to defend for systemically important institutions. Cadence above 36 months attracts examiner questions. Build the cadence into your three-year cyber-resilience plan and align scope each cycle with the highest-priority technology changes.
Provider requirements
- Independent of the FI's IT operations and prior incumbent providers
- CREST member firm or equivalent
- Lead testers with CREST CCT, OSCP, OSCE or equivalent senior credentials
- Demonstrated cyber-threat-intelligence capability — not just borrowed third-party feeds
- Documented attack-emulation methodology, with prior intelligence-led delivery experience
- Operating under formal legal authorisation, data-handling agreement and indemnification
Reporting format
A defensible RMiT 10.49 deliverable typically includes:
- Threat intelligence briefing report (the adversary picture used to drive the test)
- Legal authorisation and rules of engagement pack
- Attack narrative mapped to MITRE ATT&CK
- Findings with CVSS and business-impact rating, with full evidence
- Purple-team detection-gap analysis with measured MTTD/MTTR
- Executive board-ready summary
- Remediation roadmap with owners, dependencies and target dates
- BNM examiner Q&A pack and continuing-availability commitment from the provider
Common findings on Malaysian FIs
Across our intelligence-led engagements on Malaysian banks, the same control gaps recur. We share the patterns (no client identification) so other FIs can prioritise:
- Identity-and-access — privileged-access lifecycle, service-account hygiene, joiners-movers-leavers timeliness
- Detection coverage — MITRE ATT&CK technique coverage gaps in detections, particularly around defence evasion and credential access
- Lateral-movement choke points — flat internal networks, weak Tier-0 segmentation, broad domain-admin assignments
- EDR blind spots — exceptions, unmanaged endpoints, OT/Mac/Linux coverage
- Cloud blast radius — weak workload identity hygiene, over-permissive IAM, missing private networking
- Incident-response readiness — playbooks that do not survive contact with reality, comms paths that bottleneck
Cost ranges
Intelligence-led penetration tests are not commodity pentests, and pricing reflects that. For a Malaysian financial institution, a full RMiT 10.49 exercise typically falls in the RM 60,000 to RM 150,000 range, depending on scope breadth, scenario count, duration, blue-team replay depth and reporting requirements. Smaller scoped red-team exercises sit below that band; multi-scenario or multi-entity engagements sit above.
Treat any quote materially below this band with caution — the methodology required to satisfy RMiT 10.49 has an irreducible cost floor, and low quotes typically signal a scoped pentest being labelled as intelligence-led, which will not survive examiner scrutiny.
Planning your programme
A defensible programme structure looks like this:
- Year 1: Baseline cyber-resilience assessment + scoped red team on highest-priority crown jewel.
- Year 2: Full intelligence-led test covering retail banking, internet-facing customer journeys and treasury.
- Year 3: Scoped intelligence-led test against a different crown jewel (payments, wealth, cards), plus purple-team uplift.
- Each year: Annual baseline pentests, quarterly external scanning, continuous CTI feed, twice-yearly tabletop drills.
For execution: see our intelligence-led penetration testing service, our broader RMiT compliance practice, and our financial services industry page.