Loading...
Loading...
Independent, examiner-grade Threat & Vulnerability Risk Assessment for Malaysian licensed financial institutions. Methodology aligned to BNM RMiT, written for the Board Risk Committee and the BNM examiner in the same document.
A Threat & Vulnerability Risk Assessment is the BNM-aligned annual (or near-annual) exercise that licensed Malaysian financial institutions use to evidence that their cyber-risk programme remains effective against current threats. It is distinct from a penetration test: where a pentest exercises specific technical assets, a TVRA is a methodology-driven institutional review that names threat actors, models attack paths against critical systems, enumerates vulnerabilities across people-process-technology, and quantifies residual risk after controls.
The deliverable is a board-grade risk register with treatment plans, mapped clause-by-clause to the BNM RMiT Policy Document, ready for the next thematic examination. Most FIs run TVRA annually, with a delta review on any material change (new core system, new outsourcing arrangement, post-incident, post-merger).
For verbatim regulatory text, refer to the Risk Management in Technology Policy Document published at bnm.gov.my. The clauses most often relevant to TVRA scope are in the 10.45 series (technology risk identification) and 10.62 (third-party / outsourcing risk).
Authoritative list of in-scope systems (core banking, payment gateway, customer channels, regulatory reporting), with criticality classification and supporting infrastructure dependencies.
Named threat-actor library relevant to Malaysian FSI — financially-motivated, state-aligned, insider, hacktivist. Modelled using STRIDE and MITRE ATT&CK against each critical system.
Technical (configuration, patching, architecture) and non-technical (process gaps, training deficits, third-party exposure). Pentest output where relevant feeds this section.
Quantified using the FI's own risk methodology so it lands cleanly in the existing enterprise risk register. Heat-map view for the Board Risk Committee.
RMiT 10.62 series — material outsourcing arrangements, cloud providers, fourth-party concentration risk.
12-month remediation roadmap with owner, effort estimate, target risk reduction. Designed to map cleanly into the FI's existing portfolio governance.
Joint scoping with the CISO, CRO and Head of Technology Risk. Document review: prior TVRA, prior audit findings, RMiT self-assessment, risk appetite statement, outsourcing register, incident log.
Critical-systems inventory validated through interviews. Classification against the FI's own criticality scheme. Dependency mapping into supporting infrastructure and outsourcing arrangements.
Named threat-actor library. STRIDE modelling per critical system. MITRE ATT&CK technique mapping. Threat-intelligence feed cross-reference for sector-relevant TTPs.
Technical and non-technical vulnerability discovery. Existing pentest, BAS and audit evidence consolidated. Controls mapped to RMiT clauses with gaps surfaced.
Executive summary, methodology, asset inventory, threats, vulnerabilities, findings, treatment plan. Examiner-ready clause-mapped appendix. Board readout with Q&A pack pre-built for the next BNM thematic.
Both are RMiT-aligned independent assessments, but they answer different questions and have different scopes:
Question: What cyber threats matter to this institution and how exposed are we?
Scope: Institution-wide. People, process, technology. All critical systems regardless of location.
Output: Board-grade risk register, treatment plan, RMiT clause map.
Question: Is this specific data-centre facility resilient to physical, environmental, operational and cyber risk?
Scope: A single facility. Physical security, electrical, mechanical, fire, environmental, BCP, perimeter cyber.
Output: Facility risk register, Tier mapping, remediation roadmap.
Most BNM-regulated institutions need both — TVRA at the institution level on an annual cycle, plus a DCRA at each in-scope data centre on a roughly biennial cycle.
A penetration test exercises a defined technical scope to find exploitable vulnerabilities. A TVRA is a broader, methodology-driven exercise that names threat actors, models how those actors would move against your assets, enumerates vulnerabilities (technical and non-technical), and quantifies residual risk after controls. Pentest output is a vulnerability register; TVRA output is a board-grade risk register with treatment plans. The two are complementary — pentest evidence frequently feeds the vulnerability section of the TVRA.
DCRA (Data Centre Risk Assessment) is facility-focused — physical security, electrical and mechanical resilience, fire suppression, environmental controls, BCP at a specific data centre. TVRA is broader — it covers your full cyber-threat exposure across people, process and technology, regardless of where workloads sit. Many BNM-regulated institutions need both: TVRA at the institution level, DCRA at each facility hosting production workloads. See our DCRA service for the facility-level engagement.
BNM does not prescribe a fixed cadence in the RMiT Policy Document, but expects frequency to reflect the criticality of workloads and the rate of material change. In practice we see most licensed banks and insurers commission a full TVRA annually, with a delta review on any material change (new core system, new outsourcing arrangement, post-incident, post-merger). For DFIs and smaller licensed entities, an 18-24 month cadence with annual delta is common.
The TVRA must be performed by an assessor independent of the FI's IT operations and the in-scope outsourcing providers. The report is typically signed by the lead assessor and counter-signed by the assessor firm's principal. The receiving sign-off inside the FI is normally the Chief Risk Officer and the Board Risk Committee, with the Head of Technology Risk owning remediation. Refer to bnm.gov.my for the verbatim RMiT text on assessor independence.
Pricing is driven by the scope: number of business lines and core systems in scope, number of locations, number of in-scope outsourcing providers, regulatory complexity (BNM only vs BNM + cross-border MAS or HKMA). A typical full TVRA for a mid-sized Malaysian licensed bank lands in the high five-figure RM range; complex multi-entity engagements run into low six figures. We provide a written quote after a 1-hour scoping call.
Scoping calls take 30 minutes. A typical TVRA runs 4-8 weeks from kickoff to board readout, depending on scope complexity.
Get a Scope