On 28 November 2025, Bank Negara Malaysia issued one of the most significant overhauls to Malaysian financial sector cybersecurity regulation in recent years. The revised Risk Management in Technology (RMiT) policy expands who’s in scope, mandates continuous monitoring of third-party vendors, introduces SBOM requirements, and enforces stricter SLAs for incident disclosure and remediation. This white paper breaks down what changed, what it means for your third-party risk program, and how to operationalise and evidence the new obligations at scale.
- 28 Nov 2025 — the date RMiT was revised and reissued by BNM
- New entities in scope — including certain non-bank merchant acquirers and intermediary remittance institutions
- Continuous monitoring now mandatory — periodic, questionnaire-based assessment is explicitly no longer sufficient
- 12M+ entities rated across SecurityScorecard’s global intelligence network
RMiT 2025 isn’t a checkbox exercise. It’s a shift in how cyber risk is governed.