MALAYSIA Law and Practice Contributed by: Janet Toh, Irene Yong, Krystle Lui and Boo Cheng Xuan, Shearn Delamore & Co.
Policy Document on Business Continuity Management The Policy Document on Business Continuity Management, issued 19 December 2022 (BCM PD), aims to, among others, facilitate the devel - opment and implementation of a robust business continuity management framework by financial institutions and strengthen the capacity and pre - paredness of financial institutions to respond and recover from operational disruptions. To this end, the BCM PD prescribes policy requirements on matters such as business impact analysis, recovery strategy, crisis man - agement plan, business continuity plan and dis - aster recovery plan, crisis communication, inter - dependencies, alternate site and recovery site, and testing. Such requirements are not limited in their application to cloud and edge computing adopted by financial institutions. However, the interplay between such require - ments and the operational and technical aspects of cloud and edge computing must be consid - ered. In the context of cloud services, for exam - ple, if a cloud solution is chosen in connection with the requirement to have an alternate and recovery site in the event any infrastructure or systems supporting critical business functions of the financial institution becomes unavailable, the financial institution must consider various issues identified in the BCM PD, including the distance of the cloud infrastructure from the primary site, the use of separate of alternative telecommunications network and power grid from the primary site, and the use of IT systems compatible with the primary site. Similar to the RMiT PD and Outsourcing PD, the BCM PD requires mandatory contractual terms to be included in outsourcing and contractual arrangements with key service providers, which
would include providers of cloud and edge com - puting if their services support the financial insti - tution’s critical business functions. Policy Document on Management of Customer Information and Permitted Disclosures The Policy Document on Management of Cus - tomer Information and Permitted Disclosures, issued 3 April 2023 (MCI PD), sets out BNM’s requirements and expectations regarding finan - cial service providers’ measures and controls in handling customer information. Like the BCM PD, the MCI PD does not contain provisions specific to cloud and edge computing, but the provisions therein are nevertheless crucial given their common use for managing, storing and transmitting customer information. Other BNM policy documents of general appli - cation shall also similarly be considered. Regulated subjects in other sectors may also be subject to sectoral requirements similar to those imposed by BNM on financial institutions. For instance, for the communications and multime - dia sector, the Technical Code for Information and Network Security - Cloud Service Providers Selection (First Revision), which was developed pursuant to Section 185 of the CMA, specifies requirements for organisations to select cloud service providers using a risk-based approach that is structured to be generic but tailored for the communications and multimedia industry. 3. Artificial Intelligence 3.1 Liability, Data Protection, IP and Fundamental Rights There is no dedicated legislation on AI in Malay - sia as that of the EU’s Artificial Intelligence Act.
226 CHAMBERS.COM
Powered by FlippingBook