II. Technology Risk Governance • Developing frameworks, policies and guidelines to govern the activities of First Line of Defence where risks arise and ensure mitigation of technology related risks (including cyber and data risks) to an acceptable level and monitoring the effectiveness of internal controls. III. Technology Risk Measurement and Assessment • Conducting comprehensive risk assessments to assess threats and vulnerabilities including quality of risk assessments performed by First Line of Defence. These range from a variety of assessments such as technology risk assessments, cloud risk assessments, data risk assessments and cybersecurity related assessments. • Strengthening the Group’s response and detection capabilities through various exercises, such as red teaming, cyber drills, compromise assessments and phishing simulations. IV. Technology Risk Monitoring & Compliance • Monitoring process reviews, including independent reviews of technology key risk indicators (KRI), risk control self-assessments (RCSA) and so forth, are performed to monitor risks and ensure controls are adequately implemented to manage risks with the established risk appetite and thresholds. • Additionally, GISGD performs a technology compliance review programme to ensure that all key technology requirements prescribed by the regulatory bodies are complied with. This assessment is performed by assessing the effectiveness and adequacy of the controls implemented by the business units/support units. This review serves as a check and balance function to review and report the compliance status to the Management and Board committees. V. Technology Risk Reporting • Reporting on matters pertaining to technology, cyber and data risks will be presented to key working groups, Management committees, Board Committees and the Board for deliberation and approval (where applicable). VI. Technology Risk Culture • In 2024, GISGD has played an active role in the communication and education on technology, cyber and data related risks. These initiatives were tailored to the diverse stakeholders and carried out through various channels to effectively cultivate a strong culture of security across all layers of the Group. • Various security and awareness initiatives were put in place throughout the year such as a regular series infographics, e-learnings, phishing campaign and training (virtual and physical) to enable our people to be contributors to a more secure environment. With the rapid pace of digitalisation and technological advancement, it is paramount for the Group to remain adept in navigating the evolving threat landscape without compromise on the delivery of services to our stakeholders. In recognition of the growing importance of technology and cyber resilience, the Group prioritises continuous technological investments to strengthen the security and reliability of our systems and infrastructure, which underpins the delivery of services to our customers. In 2024, GISGD adopted a Bank-wide approach to ensure appropriate management of technology, cyber and data related risks for the Group, which comprises of the following key highlights:- (a) Enhancement and introduction of technology, cyber and data related frameworks, policies and guidelines; (b) Uplift various risk assessment practices related to technology, cyber and data risks to ensure relevance and robustness of assessments in line with changes in the risk landscape; (c) Revisions of risk appetite statement, key risk indicators and reporting dashboards to improve the tracking and reporting mechanisms for any emerging or potential risks; (d) Embark on the adoption and implementation of Zero Trust initiatives to fortify the security posture of the Group; Bank Islam Malaysia Berhad ◆ Integrated Annual Report 2024 250 Statement on Risk Management and Internal Control
RkJQdWJsaXNoZXIy NDgzMzc=