Ensuring RMiT Compliance: A Case Study on Strengthening Cyber Governance and Risk Management
Cybersecurity isn’t just about blocking hackers or patching vulnerabilities. It’s about governance—who’s responsible, who’s accountable, and what happens when things go wrong. Regulations like Bank Negara Malaysia’s (BNM) Risk Management in Technology (RMiT) exist to enforce structure, but meeting the minimum requirements doesn’t guarantee security. It only guarantees compliance.
This was the challenge facing a financial services firm that engaged AKATI Sekurity for an independent cybersecurity assessment. The company had policies, it had vendors, and it had a security operations center (SOC) that ran 24/7. On paper, everything looked solid. In reality, there were cracks—blind spots in governance, inconsistencies in enforcement, and risks buried under layers of process.
The Reality Check: Where Compliance Falls Short
When AKATI Sekurity began its assessment, it didn’t take long to spot the problems. Governance wasn’t centralized—cybersecurity responsibilities were scattered across multiple teams, with no clear accountability. The SOC was struggling with handoffs, threat intelligence gaps, and slow escalations. Critical vulnerabilities took weeks—sometimes months—to patch, and third-party vendors weren’t being held to the same security standards as internal teams. Most concerning was the lack of real-world testing for the organization’s Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). The documents existed. They checked all the regulatory boxes. But if a ransomware attack hit tomorrow, would the company actually know what to do? Would the right people be alerted? Would the systems come back online in time to avoid financial damage?
The answers weren’t reassuring.
The Fix: A Roadmap for Cyber Resilience
AKATI Sekurity wasn’t there to just point out problems and walk away. The goal wasn’t to just get the company in line with regulations—it was to make sure they actually understood their risk posture and had a plan to improve it.Instead of vague suggestions, the firm walked away with a detailed, step-by-step roadmap to address their biggest security gaps.
1. Fixing the SOC’s Fragmentation Problem
The organization’s SOC teams weren’t operating as a single unit, which led to miscommunication, missed alerts, and inconsistent incident response times. AKATI Sekurity recommended:
A shared knowledge base to ensure that analysts had real-time access to ongoing investigations, previous incidents, and standardized response procedures.
A SOC Maturity Assessment Model to evaluate how effectively threats were being detected, escalated, and mitigated.
Stronger service-level agreements (SLAs) for both MSSPs, making it clear who was responsible for what, and how quickly critical alerts needed to be acted upon.
2. Holding Third-Party Vendors Accountable
Like many organizations, the company outsourced a significant portion of its IT operations. But vendor contracts lacked enforceable cybersecurity clauses—meaning there was no real mechanism to make sure third parties were adhering to security best practices. AKATI Sekurity recommended restructuring vendor agreements to:
Require regular security audits and compliance reporting.
Mandate disaster recovery and incident response testing—if a third-party service went down, the company needed to know exactly what would happen next.
Enforce faster patching cycles for vulnerabilities, reducing risk exposure.
3. Closing the Gaps in Cyber Resilience
The Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) were theoretically strong but hadn’t been tested under real-world conditions. There was no guarantee they would hold up in an actual cyberattack. To fix this, AKATI Sekurity advised:
Mandatory BCP/DRP simulations, with tabletop exercises that mirrored real cyber incidents.
Quarterly ransomware and data breach drills, ensuring that response teams could act fast when it mattered.
A revised escalation process, making sure the right people were alerted in time to contain threats before they spread.
4. Accelerating Patch Management
The company’s patch deployment cycle stretched to 30 days, meaning that newly discovered vulnerabilities had an entire month to be exploited before they were addressed. That’s an eternity in cybersecurity terms. AKATI Sekurity recommended a fast-track testing protocol that would:
Prioritize critical security patches for immediate deployment (within 48 hours).
Automate patch testing and validation to remove unnecessary delays.
Implement virtual patching solutions as an interim measure for vulnerabilities that couldn’t be patched immediately.
The Takeaway: Cybersecurity Isn’t a Checkbox
Many organizations assume that if they follow compliance rules, they’re secure. But compliance is a starting point, not the finish line. Without governance, accountability, and real-world testing, regulations alone won’t stop a ransomware attack or prevent a security breach. This case study proves one thing: cybersecurity isn’t just about IT teams. It’s about decision-makers, vendors, third-party service providers, and governance structures that ensure security isn’t just talked about—but enforced.
If your cybersecurity framework hasn’t been stress-tested against real-world threats, you don’t know if it works. And if your vendor contracts don’t hold third parties accountable, you don’t know if they’re protecting your data. So the question is: Are you just compliant, or are you actually secure?
AKATI Sekurity helps organizations bridge the gap between compliance and real security. If you need a cybersecurity roadmap that goes beyond regulatory checkboxes, we’re here to help.
