Request for Proposal

CYBERSECURITY RISK RATING TOOL

ISSUER Bank Negara Malaysia Jalan Dato’ Onn 50480 Kuala Lumpur ISSUE DATE : 13 March 2020 CLOSING RFP SUBMISSION : 27 March 2020, 3.00 pm

TABLE OF CONTENTS

PART A: RFP REQUIREMENTS ......................................................................... 4 1.0 Introduction ...................................................................................................4 2.0 Conditions of the Proposal ............................................................................4 3.0 Evaluation of Proposal ..................................................................................7 4.0 Submission of the Proposal ...........................................................................8 5.0 Closing Date and Validity Period of Proposal .............................................. 10 6.0 Liquidated Ascertained Damages (LAD) ..................................................... 11 7.0 Company Litigations .................................................................................... 11 8.0 Contact for Enquiries ................................................................................... 12

PART B: TECHNICAL AND BUSINESS REQUIREMENTS ...................................... 13 1.0 Introduction ................................................................................................. 13 2.0 Overview ..................................................................................................... 13 3.0 Technology and Service Requirements ....................................................... 15

PART C: CONTENT COVERAGE OF RESPONSE TO RFP REQUIREMENTS ............ 21 1.0 Format of Proposal ...................................................................................... 21

APPENDICES ................................................................................................. 22

APPENDICES Appendix A-1(i) Covering Letter for Proposal Submission

Appendix A-2 Undertaking of Confidentiality

Appendix A-3(i) Vendor Code of Conduct – Declaration of Interests

Appendix A-4(i) Company Profile and Experience

Appendix B-1 Notice of Personal Data Protection (PDPA)

Appendix B-2 Data Access or Correction Request Form

Appendix C Service Subscription Agreement

Appendix D Compliance with Tender Requirements

Appendix E-1 Cost Summary

Appendix E-2 Detailed Costing

PART A – RFP REQUIREMENTS

1.0 INTRODUCTION

1.1 Request for Proposal

1.1.1 Bank Negara Malaysia (BNM) is inviting Tenderers and/or its

consortium/solution partners (The Tenderer) to submit a

comprehensive proposal for the implementation of a

cybersecurity risk rating tool.

1.1.2 This document provides combination of broad requirements

and detailed specifications of the above purpose for The

Tenderer to submit a proposal for BNM’s evaluation and

consideration.

1.1.3 The Tenderer is requested to study this document and all its

references carefully before preparing the proposal and seek

clarifications from BNM should questions and concerns arise.

1.1.4 This tender document provides a detailed specification of the

services required. The Tenderer is expected to provide an

itemised quotation to facilitate BNM to select the required

services as necessary. Should there exist a discounted

package price for a group of services, it should be indicated

wherever applicable.

2.0 CONDITIONS OF THE PROPOSAL

2.1 General Conditions

2.1.1 The Tenderer must respond to the Request for Proposal (RFP)

on the basis that the Tenderer is deemed to have examined

and understood the contents of this RFP. The Tenderer must

also be deemed to accept and is bound by all the terms and

conditions specified in this RFP. Any limitations and

assumptions of responsibilities that The Tenderer wishes to

inform should be clearly stated.

2.1.2 Any non-compliance by The Tenderer with any requirement

stipulated in this RFP must entitle BNM, at its sole discretion, to

disqualify The Tenderer.

2.1.3 The specifications and contractual conditions contained in this

RFP define the basic functional, technical and contractual

requirements with regard to this request. Any amendment to

the specifications will be effected and notified to all Tenderers

by correspondence through letter or e-mail.

2.1.4 The Tenderer must have the necessary expertise or domain

knowledge to provide the required services in its entirety as

required by BNM.

2.1.5 The Tenderer is requested to submit proposal with

responses/information that supports how the proposed solution

would be able to meet and add value to BNM’s requirements.

2.1.6 The Tenderer must be solely responsible for any collaboration

with any solution partners (sub-contract). The Tenderer will be

the single point of contact with BNM and any arrangement or

agreement between the Tenderer and their partners is beyond

BNM’s responsibilities.

2.1.7 All costs incurred in the preparation and submission of the

proposal including any presentation to BNM and/or Proof-of-

Concept (POC) conducted, if any, must be borne solely by The

Tenderer.

2.1.8 The Tenderer must ensure that the prices quoted are accurate

before submitting their quotation. The Tenderer must be solely

responsible for any omissions and/or errors in their proposals,

without any additional cost to BNM. BNM will not entertain any

request for variation of price(s) or submission of additional

quote for items erroneously omitted in the original submission.

2.1.9 Any quotations submitted must be in Ringgit Malaysia (RM) and

must include any applicable tax, duty, charge and other

government taxes.

2.1.10 The Tenderer must be prepared to:

a) Provide detailed scope of services that needs to be

performed for BNM’s reference.

b) Provide details of relevant projects/services delivered

and implemented in the past 3 years for BNM’s

reference.

c) Allow BNM to conduct checks with The Tenderer’s

references, if deemed necessary, to assess The

Tenderer’s capability and support service.

d) Give a formal presentation of the proposal to BNM, if

requested.

e) Respond to any questions on the proposal and provide

additional information, when required by BNM.

2.1.11 BNM will retain the proposal and other related documents

submitted by The Tenderer, for the purpose of this proposal.

2.1.12 BNM reserves the right to amend the requirements and

conditions in this RFP in order to correct errors, rectify

omissions or discrepancies or to reflect any change in policy.

Any amendments to the specifications will be effected and

notified to all Tenderers through official letter or e-mail.

2.2 Statement of Confidentiality and Vendor Code of Conduct

2.2.1 This document is strictly confidential. Information contained in

this document must not be disclosed directly or indirectly to any

party except to its consortium or solution partners involved in

the preparation of the proposal or expressed otherwise in

writing by BNM.

2.2.2 The Tenderer is required to sign an Undertaking of

Confidentiality document as specified in Appendix A-2 which

outlines The Tenderer’s responsibility not to divulge any

information on this RFP document, to any third party except its

consortium or solution partners.

2.2.3 The Tenderer is advised to read the Vendor Code of Conduct

(VCOC) published by BNM on its website

(http://www.bnm.gov.my/documents/vendor_coc/vcoc_2017080

3.pdf) and duly submit completed declaration of interest

(Appendix A-3(i)).

2.2.4 In the event of any employee(s) of The Tenderer have a family

member working in BNM, it is strongly advised that the affected

employee(s) of The Tenderer would be recused from

participating in the tender bidding process and be declared as

per requirement of Section 2.2.3 above.

2.3 Conditions of The Agreement

2.3.1 The successful Tenderer must comply with the terms and

conditions in the BNM’s standard agreement as follows:

a) Service Subscription Agreement (Appendix C)

2.3.2 BNM will view favourable proposals from Tenderers that accept

the terms of BNM standard agreements in their entirety without

amendments.

2.3.3 In executing the Agreement, the successful Tenderer must

comply with the provisions of any statute, regulation, or by-laws

that are applicable to the work under the Agreement. The cost

and expenses involved must be deemed to have been included

in the prices quoted by the successful Tenderer.

2.3.4 The Tenderer must take note of the terms and conditions

relating to the attached draft agreement in the tender proposal.

The successful Tenderer must enter into an agreement with

BNM within 30 days from the acceptance date of Letter of

Award. Neither services must be rendered to BNM nor payment

must be payable to the successful Tenderer until the

agreement is executed.

3.0 EVALUATION OF PROPOSAL

3.1 The interpretation of the contents of the proposal by BNM must be final.

3.2 This RFP does not in itself constitute in any way a commitment of BNM

to any Tenderer. BNM reserves the right to select any proposal at its

own discretion and does not bind itself to accept the lowest-priced or

any proposal.

3.3 The Tenderer must submit the proposal for a complete solution to meet

all requirements as defined in the RFP. In addition, The Tenderer may

propose innovative and alternative solution that would be able to

integrate seamlessly with BNM’s new or existing systems, if they

consider that the alternatives provide a better solution for BNM.

3.4 A proposal that does not include response to all requirements may be

excluded at the sole discretion of BNM.

3.5 The evaluation of the proposal must be based on, but not limited to, the

following factors:

a) Compliance with all the conditions of the proposal;

b) Compliance with all the requirements in this document or any of

its referred documentation;

c) Comprehensiveness and level of detail of the proposal;

d) Compliance with the conditions of confidentiality;

e) Compliance with BNM’s contractual provisions and stipulations;

f) Tenderer’s capabilities, experiences, knowledge and expertise

in implementing and managing projects of similar nature in

terms of scope, size and complexity;

g) Completeness of the proposal and effectiveness of the

maintenance and support services in supporting BNM’s

objectives;

h) Detailed cost of the proposal including all miscellaneous cost, if

any;

i) Specify the breakdown of the upgrade services or license

renewal cost for each year, if any; and

j) Proven Tenderer’s track record in relevant domain

3.6 BNM is not obliged to accept a proposal in its entirety and may, at its

absolute discretion, opt to accept only parts of the proposal.

3.7 BNM is not obliged to give any reason for the acceptance or rejection of

any particular proposal.

4.0 SUBMISSION OF PROPOSAL

The mandatory format of the proposal and its expected contents are as

follows:

4.1 Part I: Cybersecurity Risk Rating Tool – Technical Proposal.

4.1.1 The response in Part I must not contain any pricing information

4.1.2 The response in Part I must cover the following content:

Format Content

Appendix A-1(i) Covering letter for proposal submission

Tenderer’s Format One-page executive summary of the

proposed solution / services

Appendix A-2 Undertaking of Confidentiality

Appendix A-3(i) VCOC & Declaration of Interest by Tenderer

Appendix A-4(i) Company Profile and Experience

Appendix B-1 Notice of Personal Data Protection (PDPA)

Appendix C Service Subscription Agreement

Appendix D Summary of your company’s level of

compliance with the RFP requirements

Tenderer’s Format

Proposal to meet the service requirements

must cover the areas identified in Part B of

this document

4.1 Part II: Cybersecurity Risk Rating Tool – Commercial Proposal.

4.2 The response in Part II must cover the following content:

4.2.1 Cost summary as per format Appendix E-1 (in A4 size on the 1st

page of your submission for Part II).

4.2.2 Detailed costing of the proposal as per format in Appendix E-2

must contain all necessary costing

4.3 The proposal must be submitted to BNM in hardcopy. All hardcopies

should contain original signatures and should be clearly identified and

labelled as ‘ORIGINAL’. The proposal must be prepared in two (2)

separate parts as follows:

Part Label Copies

Part I

Part I: Cybersecurity Risk Rating Tool (Technical Proposal)

Two (2) hardcopy and one (1) softcopy

Part II

Part II: Cybersecurity Risk Rating Tool (Commercial Proposal)

Two (2) hardcopy and one (1) softcopy

4.4 Part I and Part II must be duly completed, separately bound, and

sealed. The tenderer must indicate the Part number on the right hand

corner of the envelope of submission. The documents shall be

submitted in two (2) separate envelopes addressed, on the top left

hand-corner, to:

Pengarah

Jabatan Risiko dan Penyeliaan Teknologi

Bank Negara Malaysia

Jalan Dato’ Onn

50480 Kuala Lumpur

Both quotations is to be submitted in the tender box located at: Tender Box labelled (Quotation for Cybersecurity Risk Rating Tool) Ground Floor, Block C, Bank Negara Malaysia.

4.5 The total size, including the folder/cover must not exceed 28cm x

21cm x 5cm. A set of softcopy of the same documents stored in a flash

drive shall also be included in the envelope. Please ensure the flash

drive and the contents have been scanned and cleared from any

potential malware before submission.

4.6 (If applicable), in the quotation submission, please attach proof that the

company is an authorised partner or reseller for the solution

4.7 Proposals submitted by any other means (i.e. email, fax, telex,

telegram) will NOT be considered.

4.8 The completed proposal must be received by the stipulated RFP

submission closing date and time specified in item 5.1 of this RFP.

4.9 BNM reserves the right to accept or not accept subsequent revised

submissions by Tenderer provided that such subsequent submission is

received before the expiry of the closing date for submission of

proposal.

4.10 BNM may conduct briefing session for Tenderers on the RFP

requirements and timeline, at a time to be scheduled, if deemed

necessary by BNM.

4.11 The Tenderer will be required to provide a comprehensive technical

presentation of the proposed solution. The tenderer will also need to

undertake a POC of the proposed solution for BNM. The presentation

and the POC, if any, must be conducted by the key team members

responsible for the implementation of the tool.

4.12 Failure to submit the proposal in response to this RFP within the

stipulated closing date and time will be deemed as non-participation by

the Tenderer.

4.13 The Tenderer must comply with any request made by BNM for

additional information, for clarification purposes, after the closing date

of this RFP. The Tenderer must promptly comply with the request, as

no-response may be prejudicial to the Tenderer.

4.14 All cost incurred in the preparation of the proposal in response to this

RFP as well as presentation and POC to BNM, if any, must be borne

solely by the Tenderer.

4.15 Failure on the part of the Tenderer to comply with the requirements

specified herein must invalidate the Tenderer’s proposal.

4.16 Award of Tender

4.16.1 BNM reserves the right to award the project in part or in whole

to any Tenderer.

4.16.2 BNM reserves the right not to proceed with any part of the

project.

5.0 CLOSING DATE AND VALIDITY PERIOD OF PROPOSAL

5.1 The closing date and time for submitting the proposal is by 27 March

2020, 3.00 pm.

5.2 The proposal received after the closing date and time for submitting the

proposal must not be accepted by BNM. The Tenderer’s proof of

posting and/or submission by other means must not be accepted as

proof of receipt by BNM.

5.3 This document lapses in accordance with the proposal submission

closing date and time.

5.4 The Tenderer’s offer must be valid for a period of six (6) months

commencing from the closing date of this RFP. On expiry of the validity

of offer, the Tenderer must, if so requested by BNM, extend the validity

of offer for a period of three (3) months after the expiry date of the initial

six (6) months.

5.5 Any Tenderer withdrawing its proposal after it has been submitted and

opened by BNM will be blacklisted from participating in future RFPs, in

accordance with the BNM Vendor Code of Conduct and BNM

Procurement Policy.

5.6 Failure to submit the proposal in response to this RFP within the

stipulated closing date and time will be deemed as non-participation by

the Tenderer.

5.7 Upon award of this project to the successful Tenderer, the offered

prices must be firm throughout the contract period.

6.0 LIQUIDATED ASCERTAINED DAMAGES (LAD)

6.1 If the Tenderer fails to handover the project deliverables by the dates

specified in the implementation plan and the delay is beyond

reasonable doubt caused by the Tenderer, then the Tenderer must pay

liquidated ascertained damages (LAD) to BNM. The liquidated

damages must be the aggregate sum of one and a half percent (1.5%)

of the price for each week of such delay and pro-rated for parts of a

week up to a total maximum of twenty per cent (20%) of the price.

7.0 COMPANY LITIGATION

7.1 The Tenderer is to declare that there is no ongoing litigation of dispute

instituted against the companies and/or their directors. The Tenderer

must also list any indictments, convictions, censures, fines or ongoing

investigations by any government entity or agency against the Tenderer

or its related companies and/or its consortium/solution partners and any

other business or businesses owned in whole or in part by, or held in

common with, the Tenderer or any of their principals.

7.2 The Tenderer must list any indictments, convictions, censures, fines or

ongoing investigations by any government entity or agency against the

Tenderer or any parent companies and subsidiaries of the Tenderer (in

any part of the world) and any other business or businesses owned in

whole or in part by, or held in common with, the Tenderer (such entities

referred to hereinafter as “Affiliates”) or any of their principals.

7.3 The Tenderer must describe briefly any pending or past legal

proceedings or legal proceedings known to be contemplated, that (i)

relate to business activities, and (ii) to which the Tenderer or any

Affiliates, or any of their principals is a party or to which any of their

property is the subject. Include in such description the name of the

court or agency in which the proceedings are pending, the date

instituted and the principal parties thereto, a description of the alleged

factual basis underlying the proceeding and the relief sought. Likewise,

describe any judgement, order or determination by any court of

governmental authority to which the Tenderer or any Affiliates or any of

their principals is subject.

8.0 CONTACT FOR ENQUIRIES

8.1 The Tenderer are advised to study all terms and conditions, and

requirements carefully, make all necessary clarifications and conduct

investigations to better understand BNM’s environment and

requirements, before submitting the proposal.

8.2 The Tenderer seeking clarification must submit its queries, in writing,

via e-mail to RSTS_proc@bnm.gov.my with the following e-mail

subject ‘Enquiry: Cybersecurity Risk Rating Tool:’. Any other mode of

queries will not be entertained by BNM.

8.3 BNM may conduct briefing session for Tenderers on the RFP

requirements and timeline, at a time to be scheduled, if deemed

necessary by BNM

Remaining page is blank

PART B – TECHNICAL & BUSINESS REQUIREMENTS

1.0 INTRODUCTION

1.1 Cybersecurity Risk Rating Tool

1.1.1 The Malaysian financial sector is progressively facing a steady

subservient shift and dependence in terms of technology to

deliver critical financial services. This has resulted in Bank

Negara Malaysia (BNM) to proactively delve into new initiatives

to supplement their cyber risk supervision process and

strengthen the Bank’s overall cyber surveillance infrastructure,

essentially enhancing the Bank’s grasp of the industry cyber

situational awareness.

1.1.2 In regards to this, BNM has decided to acquire an external

cyber risk rating tool to address the issues as below:

1.1.2.1 Lack of visibility particularly on the cyber-risk

footprint and situational awareness of the Malaysian

financial sector;

1.1.2.2 Challenge of establishing a dynamic approach to

proactively assess the external cyber risk ecosystem

and to measure the cyber rating levels of financial

institutions;

1.1.2.3 Lack of capability to proactively assess the level of

exposure of critical IT vulnerabilities and determining

the industry exposure level; and

1.1.3 In this regard, BNM is seeking proposal for this RFP to

implement a cybersecurity risk rating tool to automate the

collection and analysis of externally available risk data and

assess the financial institutions cyber hygiene and industry risk

exposure.

2.0 OVERVIEW

2.1 The cybersecurity risk rating tool is expected to serve the objectives

below, but not limited to:

2.1.1 Provide continuous visibility on potential external risks and

automatically calculate a dynamic cyber-risk rating for each

financial institution to develop a comparative benchmark of the

cyber risk landscape of the financial sector;

2.1.2 Commission a service that will be able to automatically collect,

analyse and present external risk indicators or information from

a wide range of source’s in real-time.

2.1.3 Provide a solution that applies various analytical techniques to

efficiently build risk profiles of the financial institutions based on

various context and metadata.

2.1.4 Enable an intelligence-led solution that is based on a consistent

rating methodology capable of presenting analysed intelligence

in a manageable and actionable way

2.2 The cybersecurity risk rating tool is to be delivered by the Tenderer to

BNM on a subscription based model. On subscription, BNM will be the

main stakeholder for the tool and will use the tool at its discretion

according to requirements.

2.3 The high-level scope of requirements of the tool includes, but is not

limited to:

2.3.1 Commission the risk rating tool as per BNM’s commercial and

technical requirements;

2.3.2 Provide seamless data importing or exporting/archiving

functionalities either automatically or manually as detailed in

3.1.2;

2.3.3 Provide continuous industry cyber-risk situational awareness

via dynamic rating, actionable information and

recommendations for security controls as detailed in 3.1.3.

2.3.4 Provide risk rating and analysed intelligence in an intuitive and

visual way with dashboards, comparative charting and graphing

capabilities as detailed in 3.1.4;

2.3.5 Provide a reliable analysis tool with search and filtering

functionalities as detailed in 3.1.5

2.3.6 Provide notification and sharing capabilities to allow information

and security control sharing between BNM and financial

institutions as detailed in 3.1.7

2.3.7 Provide a variety of automated report generation capabilities as

detailed in 3.1.8.

2.4 The service agreement is for one (1) year initial subscription followed

by yearly renewal, subject to performance evaluation by BNM.

3.0 TECHNOLOGY AND SERVICE REQUIREMENTS

3.1 Cybersecurity Risk Rating Tool Requirements

3.1.1 General

3.1.1.1 The proposed solution must be delivered on a

subscription model and may be integrated as

cloud-based components.

3.1.1.2 The proposed solution’s web interface must be

supported at minimum by prevailing browsers

such as Microsoft Internet Explorer, Microsoft

Edge, Google Chrome and Apple Safari.

Optionally, the proposed solution may also be

accessed via mobile application supported by

Apple iOS and Google Android.

3.1.1.3 The Tenderer must ensure that the proposed

service is secure and any data provided by

BNM are retained securely and confidentially.

3.1.1.4 The Tenderer must provide support and

maintenance throughout the contract period

(preferably by chat, email and 24/7 customer

call centre);

3.1.1.5 The Tenderer must be able to provide general

support and usability training for users as

required by BNM. All user manuals must also

be provided and updated if required.

3.1.1.6 All financial institutions data submitted by BNM

which are processed and analysed by the tool

are owned by BNM and respective financial

institutions.

3.1.1.7 All data as mentioned in 3.1.1.6 must not be

processed or used for any other purpose.

3.1.1.8 The proposed solution is required to be able to

retain at least twelve (12) months of online data

for analysis purposes and provide options for

exporting / archiving post duration data either

automatically or manually.

3.1.1.9 The proposed solution must be capable to

provide user activity log or user audit trail.

These logs and audit trail must be kept for a

minimum of twelve (12) months period.

3.1.2 Data Source and Exporting

3.1.2.1 The proposed solution must be able to

automatically collect and analyse external risk

indicators or information from a wide range of

sources such as, but not limited to, surface,

deep and dark web channels.

3.1.2.2 The proposed solution must be capable to

export/archive data in a variety of data

formats, either automatically or manually, all of

which can be configured through the user

interface (web portal), such as, but not limited

to:

API;

CSV;

PDF, Word, Txt; and

XML; Please cite if the solution can support format

other than mentioned above.

3.1.3 Rating Tool Requirements

3.1.3.1 The proposed solution must provide the

capability to easily create and maintain watch

list for tracking and/or prioritizing of financial

institutions.

3.1.3.2 The proposed solution must be able to

automate the collection, contextualization and

analysis of externally available risk data to

assess the financial institutions cyber hygiene

and risk exposure levels;

3.1.3.3 The proposed solution must be capable to

provide a dynamic external exposure rating for

each defined financial institutions based on

external risk threat or vulnerability information.

3.1.3.4 The proposed solution must be able to provide

proactive tracking and remediation suggestions

for all critical and high vulnerabilities identified.

3.1.3.5 The proposed solution must ensure that the

risk ratings for managed financial institutions is

refreshed frequently, incorporating new

information collected and updated tracking of

security controls.

3.1.3.6 The proposed solution must have the capability

to provide local and global level benchmarking

and comparisons for both individual financial

institutions and the Malaysian financial sector.

3.1.3.7 The proposed solution must allow BNM to

incorporate customized thresholds, acceptance

levels and rating benchmarks.

3.1.3.8 The proposed solution must be able to keep

track of the FIs history, growth and comparison

levels up to a period of twelve (12) months. The

solution must also provide exporting or

archiving options to automatically or manually

store post duration information and related

charts, graphs and reports.

3.1.3.9 The proposed solution must be consistently

updated to be able to effectively track cyber

risk trends of financial institutions, provide

actionable intelligence and recommendations

for security controls.

3.1.3.10 The proposed solution must be able to provide

continuous monitoring and analysis on external

risk exposures via dynamic risk rating.

3.1.3.11 The proposed solution must provide the

capability to apply custom tagging, labelling or

marking.

3.1.4 Visualization

3.1.4.1 The proposed solution must be capable to

provide real-time fixed or customizable graph-

based data representations and trending

analysis.

3.1.4.2 The proposed solution must provide a user-

friendly and intuitive dashboard functionality

with charts, graphs and general comparative

analysis information made available.

3.1.4.3 The proposed solution must provide in-depth

analysis / description for graphs/charts and

related data representations.

3.1.4.4 The proposed solution must be able to display

profile of the external state of cyber risk rating

of each financial institution.

3.1.4.5 The proposed solution must be capable to

provide real-time built-in benchmarking or peer

comparative analysis functionality between

financial institutions with highlights of critical

indicators/areas.

3.1.4.6 The proposed solution must be able to provide

timeline based (e.g. by week, by month, by

quarter, by year) graphs/charts to keep track

and compare historical data and financial

institutions growth.

3.1.4.7 The proposed solution must use colour

indicators or icons to help illuminate, visualize,

prioritize and highlight risk levels via the rating

structure.

3.1.5 Performance

3.1.5.1 The proposed solution must provide search,

sorting and filtering functionalities to allow for

comparative analysis and filtering of relevant

information. The functionality should support

multiple criteria sets such as by keywords,

sector, country, timeline and more which can

be saved.

3.1.6 Integrations

3.1.6.1 The proposed solution must be able to support

any integrations with other business

applications or tools through API. Please cite if

the solution can support other similar solutions.

3.1.6.2 The Tenderer must provide necessary

technical support for any integration via API as

requested by BNM.

3.1.7 Security

3.1.7.1 The proposed solution must use secured

HTTPS connection, encrypted with TLS 1.2 or

latest secured version

3.1.7.2 The proposed solution’s portal must have a

secure digital certificate that uses strong

cryptography algorithms based on the industry

standard.

3.1.7.3 The proposed solution must be periodically

updated with the latest security and

application/system updates.

3.1.7.4 The proposed solution must support user

password management capabilities.

3.1.7.5 The proposed solution must be capable to

support multi-factor authentication (MFA) for

login functionality.

3.1.7.6 The Tenderer must have processes to ensure

secure data disposal for all data provided by

BNM, at the end of service period or at the

termination of service.

3.1.8 Notification and Sharing

3.1.8.1 The proposed solution must have the capability

of displaying/sending notifications or alerts to

BNM based on customizable pre-defined

criteria’s such as, but not limited to, alerting

high priority vulnerabilities, alerting when a

financial institute drops below fixed rating

threshold.

3.1.9 Reporting Requirements

3.1.9.1 The proposed solution must be capable of

automatically generating various

comprehensive and visually supplemented

reports which can be seamlessly exported as

required. These reports are preferred to be

generated in the following formats such as

PDF, Word, HTML and/or HTML.

3.1.9.2 The proposed solution must be able to

automatically produce reports based on defined

criteria’s and timeline’s (by week, by month, by

quarter, by year). These reports must cover the

intended objectives of the tools such as, but

are not limited to,

Detailed individual FI profile rating and cyber-risk landscape reports;

Comparison and benchmarking reports; and

Observations and recommendations for security controls.

3.1.9.3 The proposed solution must be capable of

generating both high level and detailed reports

for individual financial institutions managed and

for general industry comparison and peer

benchmarking.

3.1.10 Optional Requirements

3.1.10.1 The proposed solution is preferred to have the

capability to provide automated predictive

analysis from gathered information.

3.1.10.2 The proposed solution is preferred to have the

capability to provide customizable dashboard

requirements or built-in widget options.

3.1.10.3 The proposed solution is preferred to have

automated mechanisms to allow sharing of

information between BNM and financial

institutions as required.

3.1.10.4 The proposed solution is preferred to have the

capability to sanitize or anonymize the

information as required for appropriate sharing

by BNM.

3.1.10.5 The proposed solution is preferred to have the

capability to support report customization

capabilities.

PART C – CONTENT COVERAGE OF RESPONSE TO RFP

REQUIREMENTS

1.0 FORMAT OF PROPOSAL

1.1 The Tenderer is invited to submit a comprehensive proposal of

Cybersecurity Risk Rating Tool service for BNM. The Tenderer is

advised to seek clarification to better understand BNM’s environment

and requirements before submitting the proposal.

1.2 The Tenderer is required to submit the Proposal in the format specified

in PART A – 4.0 Submission of Proposal.

Remaining page is blank

APPENDIX A-1(i) – Covering Letter

Format of letter to BNM on the Tenderer’s letterhead

Pengarah Jabatan Pakar Risiko dan Penyeliaan Teknologi 1C, Bank Negara Malaysia Jalan Dato’ Onn 50480 Kuala Lumpur

Dear Sir,

Subject: Response to Request for Proposal (RFP) for implementation of

Cybersecurity Risk Rating Tool

1. With reference to the RFP, we hereby enclose our offer for the

implementation of Cybersecurity Risk Rating Tool covering all the

business, technical and project requirements as mentioned in the RFP.

2. We acknowledge that we have read, understood and hereby agree to

accept all contents of the RFP.

3. We undertake to provide all the services prescribed in the contract to

be entered with BNM and comply within the timeframe specified therein

if BNM accepts our offer.

4. We confirm that our offer is made in compliance with the RFP and shall

remain valid for 6 months from the closing date of the RFP.

Yours faithfully,

(Name & Designation, Seal of the firm)

APPENDIX A-2

UNDERTAKING OF CONFIDENTIALITY Within the context of the tender to provide “Cybersecurity Risk Rating Tool”,

Company _____________________________ undertakes not to give, divulge

or reveal any information, data, drawings, specifications or documentation

whatsoever, relating to the business and affairs of BANK NEGARA MALAYSIA

to any parties AND HEREBY CONVENTS to take all necessary action to ensure

that this undertaking shall be binding upon all its employees, agents and

persons acting on its behalf pursuant to the said Project.

Signed : __________________ Signed : __________________ Name : __________________ Name : __________________ Designation : __________________ Designation : __________________ FOR AND ON BEHALF OF FOR AND BEHALF OF _____________________________ BANK NEGARA MALAYSIA Below / Attached is a list of employees, agents or persons acting on behalf of Company _____________________________ involved in the project who shall abide by the above.

Name NRIC Designation Signature

APPENDIX A-3(i)

BANK NEGARA MALAYSIA

CENTRAL BANK OF MALAYSIA

Declaration of Interests by Vendor / Contractor / Service Provider Company/ Vendor Name : ___________________________________ Type of contract/services tendered : ___________________________________ I, _____________________________ (full name) the undersigned, representative of ____________________________________ (full name of the tenderer) submitting a tender in respect of call for tender _________________________________ (name of tender), hereby undertake that:

Our shareholders / directors / staff holding key management function and their close family members* do not have any relationship with any personnel including, Key Management Personnel** of Bank Negara Malaysia.

The following shareholders / directors / staff holding key management function of (full name of the tenderer)_________________________ has a relationship with a personnel of the Bank and their close family member*, including Key

Management Personnel** of Bank Negara Malaysia, by virtue of their close family members’ position. Details are provided below:

*Close Family Member refers to spouse, children and their spouses, parents, in-law, siblings, sibling's spouse and their children

** Key Management Personnel is defined as members of the Board of Directors, Governor, Deputy Governors, Assistant Governors and equivalent and Directors / Heads of Departments.

I hereby declare that I have carefully read and completed this form myself and provided current and accurate information to the best of my knowledge.

Signatory

Name of Signatory

Position in the Tenderer’s Company

Date:

If the tenderer is related to Key Management Personnel of the Bank, a copy of this form shall be submitted to the Board Secretariat Unit.

Confirmation of receipt by:

Name & Signatory

Department

Board Secretariat Unit

Date:

Confirmation of receipt by:

FOR OFFICIAL USE ONLY (FORM TO BE FORWARDED TO JABATAN MODAL INSAN STRATEGIK)

Signatory

Name

Date

APPENDIX A-4(i)

Cybersecurity Risk Rating Tool

Company’s Background The Tenderer shall submit and complete the following form.

1.0 Company Background

1.1 Name

1.2 Address

1.3 Telephone No. : Fax No.

1.4 Branch Name

and Address

1.5 Type of Company {Please cross ( X ), where applicable}

1.5.1 Sole Proprietor

1.5.2 Partnership

1.5.3 Private Limited

1.5.4 Others

(Please specify)

1.6 Place of Incorporation :

1.7 Certificate of Registration No. :

1.8 Year of Registration :

1.9 Income Tax No. :

1.10 Areas of Business :

1.11 Major Product / Services :

CONFIDENTIAL

CONFIDENTIAL

Cybersecurity Risk Rating Tool

List of Customers with Similar Setup/Support for the Last Three [3] Years General:

Note: 1Sector= banking, automotive, etc.

Example:

CONFIDENTIAL

Page 28 of 75 CONFIDENTIAL

APPENDIX B-1

PERSONAL DATA PROTECTION NOTICE TO VENDORS / PROVIDERS OF GOODS/SERVICES

Purpose of notice

1. This notice is issued pursuant to the requirements under the Personal Data Protection Act 2010 (PDPA) to all individuals who are vendors/providers of goods/services or the individual employees of the vendors/providers of goods/services – (i) engaged by Bank Negara Malaysia (BNM); or (ii) who submits any RFI/tender/proposal to BNM for such purpose,

(referred to as “vendors”). Tujuan Notis 1. Notis ini dikeluarkan selaras dengan keperluan-keperluan Akta Perlindungan Data

Peribadi 2010 (APDP) kepada semua individu yang menjual/ membekal barangan/perkhidmatan atau pekerja penjual/pembekal barangan/perkhidmatan yang – (i) dilantik oleh Bank Negara Malaysia (BNM); atau (ii) menghantar apa-apa RFI/tender/tawaran untuk tujuan tersebut

(dirujuk sebagai “pembekal”). Processing of personal data 2. During the course of its dealings with you, BNM processes personal data of the

vendors which include, but is not limited to, your name, IC number, address and other contact details.

Pemprosesan Data Peribadi 2. Sepanjang tempoh urusan BNM dengan anda, BNM data peribadi pembekal,

termasuk, tetapi tidak terhad kepada, nama, nombor kad pengenalan, alamat dan maklumat hubungan lain.

Purpose of processing personal data 3. The personal data is collected for, amongst others, the following purposes:

(a) assessing your suitability to be awarded the contract for which you have applied; (b) enforcing the rights and obligations in the contracts, including but not limited to,

making payments for the goods/services and maintaining the list of key personnel who will be responsible to carry out the rights and obligations of the vendors under the contracts;

(c) providing access to BNM’s premises; and (d) complying with any legal or regulatory requirements, including but not limited to,

compliance with the withholding tax requirements, or as permitted by law or authorised by any order of court.

Tujuan Pemprosesan Data Peribadi 3. Data peribadi dikumpul bagi, antara lain, tujuan-tujuan berikut:

CONFIDENTIAL

Page 29 of 75 CONFIDENTIAL

(a) menilai kesesuaian anda mendapat kontrak yang telah anda pohon; (b) melaksanakan hak-hak dan obligasi dalam kontrak-kontrak, termasuk tetapi tidak

terhad kepada, membuat pembayaran untuk barangan/ perkhidmatan dan menyimpan senarai kakitangan utama yang akan bertanggungjawab untuk menjalankan hak dan obligasi pembekal menurut kontrak-kontrak tersebut;

(c) memberi akses kepada premis BNM; dan (d) mematuhi mana-mana keperluan undang-undang peraturan, termasuk tetapi tidak

terhad kepada pematuhan terhadap keperluan cukai pegangan, atau seperti yang dibenarkan oleh undang-undang atau diberi kuasa oleh perintah mahkamah.

Disclosure of personal data 4. The personal data held by us shall be kept confidential. However, in order to

exercise our rights and obligations under the contracts or to evaluate your RFI/tender/proposal to BNM, we may disclose your personal data to: Departments within BNM;

Financial institutions;

Other parties authorised by you;

Regulatory and governmental agencies as permitted or required by law, authorised by any order of court or to meet obligations to regulatory authorities.

Pendedahan Data Peribadi

4. Data peribadi yang disimpan oleh BNM akan disimpan secara sulit. Walau

bagaimanapun, bagi melaksanakan hak-hak dan obligasi di bawak kontrak atau untuk

menilai RFI/tender/cadangan anda kepada BNM, BNM mungkin akan mendedahkan

data peribadi anda kepada:

Jabatan-jabatan di dalam BNM;

Institusi kewangan;

Pihak lain yang anda benarkan;

Agensi penguatkuasa dan kerajaan sepertimana yang dibenarkan atau dikehendaki oleh undang-undang, dibenarkan oleh mana-mana perintah mahkamah atau untuk memenuhi obligasi kepada mana-mana pihak penguatkuasa.

Protection of personal data 5. The security of your personal data is ensured by BNM as we shall take all

physical, technical and organisational measures needed to ensure the security and confidentiality of your personal data. If we disclose any of your personal data to any entities, we will require them to appropriately safeguard the personal data provided to them.

Perlindungan data peribadi 5. Keselamatan data peribadi anda adalah dijamin oleh BNM kerana kami akan

mengambil semua langkah fizikal, teknikal dan organisasi yang diperlukan bagi memastikan keselamatan dan kerahsiaan data peribadi anda. Sekiranya kami mendedahkan data peribadi anda kepada mana-mana pihak, kami akan memastikan bahawa pihak tersebut mengambil langkah yang sepatutnya bagi memastikan keselamatan data peribadi yang diberi kepada mereka.

Retention of personal data

CONFIDENTIAL

Page 30 of 75 CONFIDENTIAL

6. It is BNM’s policy to destroy personal data of the vendors within 7 years after the contract has been awarded or after the conclusion of the contract, whichever is applicable.

Penyimpanan data peribadi 6. Ianya merupakan polisi BNM untuk memusnahkan data peribadi pembekal

dalam tempoh 7 tahun selepas kontrak telah diberi atau selepas kontrak telah selesai, di mana ia terpakai.

Access of personal data 7. Under the PDPA, you have the right to access your personal data to ensure that

the personal data we hold about you is accurate, complete, not misleading and up-to-date. If you wish to exercise such rights and request access to your personal data, please contact us by completing our “Personal Data Access/Correction Request Form” (Appendix B-2) and forwarding it to (via e-mail): RSTS_proc@bnm.gov.my

Akses kepada data peribadi 7. Di bawah PDPA, anda mempunyai hak untuk mengakses data peribadi anda

untuk memastikan data yang kami simpan mengenai anda adalah tepat, lengkap, tidak menyeleweng dan terkini. Jika anda ingin menggunakan hak tersebut dan memohon akses kepada data peribadi anda, sila hubungi kami dengan mengisi “Borang Akses/Pembetulan Data Peribadi” (Appendix B-2) dan hantarkan ke (melalui e-mail): RSTS_proc@bnm.gov.my

Kindly sign and acknowledge the Notice that you have read and understood the Notice and you consent to the processing of your personal data by BNM. Sila tandatangan dan maklumkan kepada kami penerimaan Notis ini bagi menyatakan bahawa anda telah membaca dan memahami Notis ini dan anda membenarkan pemprosesan data peribadi anda oleh pihak BNM.

To : Bank Negara Malaysia

I hereby acknowledge that I have read and understood this Personal Data Protection Notice and by signing this, I consent to the processing of my personal data by BNM in accordance with the terms of this notice.

Saya dengan ini mengakui yang saya telah membaca dan memahami Notis Perlindungan Data Peribadi ini dan dengan menandatangani dokumen ini saya membenarkan pemprosesan data peribadi saya oleh BNM berdasarkan syarat-syarat di dalam Notis ini.

-------------------------

Name / Nama :

I/C No :

Date/ Tarikh :

CONFIDENTIAL

Page 31 of 75 CONFIDENTIAL

_________________________

Details to include designation of contact person, phone no, fax no, email address

CONFIDENTIAL

Page 32 of 75 CONFIDENTIAL

APPENDIX B-2

Personal Data Access/Correction Request Form

NAME

IC NO/STAFF ID TEL. NO/EXT. NO

EMAIL ADD.

TYPE OF REQUEST &

TYPE OF PERSONAL DATA

REASON

- I hereby request to access/correct my personal data that is being processed by *

............................………………………………………………………………………………………………………………

(hereinafter ‘the data user’).

- I confirm that the details above are correct and acknowledge that should there be any

incorrect or incomplete information or any circumstances provided under section 32 of the

Personal Data Protection Act 2010, the data user may refuse to give me access to my

personal data.

- I also acknowledge that if the data user, for whatever reason, is unable to comply with this

request within 21 days from today, they would notify me in writing, explaining the reasons,

before the 21 days has lapsed.

- I confirm that all correction that I would make to my personal data, if any, is correct and

up-to-date.

SIGNATURE

DATE

* Please fill in the name of the department that processes the personal data.

………………………………………………………………………………………………………………………………………………

……………

To be filled in by the data user as an acknowledgment of receipt:

NAME

CONFIDENTIAL

Page 33 of 75 CONFIDENTIAL

STAFF ID EXT. NO

SIGNATURE

DATE

Borang Permohonan Akses/Pembetulan Data Peribadi

NAMA

NO KP/ID STAF NO TEL/NO SAMB.

ALAMAT EMEL

JENIS PERMOHONAN &

JENIS DATA PERIBADI

TUJUAN

- Saya dengan ini ingin memohon akses/membuat pembetulan kepada data peribadi saya

yang sedang diproses oleh *

..............................………………………………………………………………………………….

…………………………………………………………………. (yang mana selepas ini disebut sebagai

‘pengguna data’).

- Saya mengesahkan bahawa maklumat-maklumat di atas adalah benar dan mengambil

maklum bahasa pengguna data berhak untuk tidak memberikan akses data peribadi saya

kepada saya sekiranya maklumat di atas mengandungi sebarang kesilapan ataupun tidak

lengkap atau terdapat mana-mana keadaan seperti yang diperuntukkan di bawah seksyen

32 Akta Perlindungan Data Peribadi 2010.

- Saya juga jelas bahawa, sekiranya permohonan ini gagal, oleh apa-apa sebab sekalipun,

pengguna data akan memaklumkan kepada saya secara bertulis dalam masa 21 hari

bermula daripada hari ini untuk menerangkan sebab-sebab permohonan saya ditolak.

- Saya mengesahkan bahawa semua pembetulan yang akan saya lakukan terhadap data

peribadi saya, jika ada, adalah betul dan terkini.

TANDATANGAN

TARIKH

* Sila nyatakan nama jabatan yang memproses data peribadi anda.

………………………………………………………………………………………………………………………………………………

……………

CONFIDENTIAL

Page 34 of 75 CONFIDENTIAL

Untuk diisikan oleh pengguna data sebagai bukti penerimaan:

NAMA

ID STAF NO SAMB.

TANDATANGAN

TARIKH

CONFIDENTIAL

Page 35 of 75 CONFIDENTIAL

DATED THIS DAY X OF [MONTH] 2020

SUBSCRIPTION AGREEMENT FOR

Cybersecurity Risk Rating Tool

BETWEEN

BANK NEGARA MALAYSIA

AND

[insert company name]

(Company No.:XX)

APPENDIX C

CONFIDENTIAL

Page 36 of 75 CONFIDENTIAL

THIS AGREEMENT is made this XX of XX 2020

BETWEEN

BANK NEGARA MALAYSIA, a body corporate which continues to exist under the

Central Bank of Malaysia Act 2009, with its head office at Jalan Dato' Onn, 50480

Kuala Lumpur (hereinafter referred to as “BNM”) of the one part;

AND

[insert company name] (Company No.:XX), a company incorporated or deemed to

be incorporated under the Companies Act 2016, with its registered office at [please

insert address] (hereinafter referred to as “the Company”) of the other part.

BNM and the Company shall be hereinafter referred to collectively as “the Parties” and

individually as “the Party”.

WHEREAS

BNM is desirous of subscribing to the Company’s Products and Services, hereinafter

defined, to establish a Cybersecurity Risk Rating Tool, and the Company agrees to

provide the Products and Services subject to the terms and conditions stipulated

below.

IT IS HEREBY AGREED BETWEEN THE PARTIES AS FOLLOWS:

1. DEFINITION AND INTERPRETATIONS

1.1 Definitions

In this Agreement, unless the context otherwise requires:

(a) “Authorised Representative” means the personnel of BNM or the

Company who is responsible to give effect to this Agreement as set out

in Schedule A;

(b) “Authorised User(s)” means full or part-time employees of BNM and

BNM’s contractors who are required to access the Product by BNM;

(c) “Commencement Date” means the XX day of XX 2020;

CONFIDENTIAL

Page 37 of 75 CONFIDENTIAL

(d) “Location” refers to locations which access of the Product is restricted

to, including all of BNM’s premises and other locations mutually agreed

to by the Parties in writing.

(e) “Manuals” means the manuals, documentation, user instructions,

technical literature and all other related materials in eye-readable form

supplied to BNM by the Company for use of the Product, if any;

(f) “Price” means the total price payable by BNM to the Company under

this Agreement as set out in Schedule B;

(g) “Product(s)” means all information (including without limitation data,

documents, reports, and standards) and technologies provided by the

Company to BNM as specified in Schedule C; and

(h) “Services” means the services provided by the Company to BNM as

specified in Schedule C.

1.2 Interpretations

In this Agreement, unless the context requires otherwise, the following rules of

interpretation shall apply:

(a) Subject to clause 5, any reference to “Agreement” shall include this

Agreement, schedules and any supplementary agreements or, in the

case where this Agreement has been amended, varied or novated by

the Parties from time to time, such amended, varied or novated

agreement;

(b) Any reference to any statutory provision includes a reference to any

modification, extension or re-enactment thereof (whether, made before

or after the date thereof) for the time being in force and also includes a

reference to all by-laws, instruments, orders and regulations for the time

being made thereunder or deriving therefrom;

(c) Any reference to “law” includes the Federal Constitution, decree,

judgment, legislation, order, ordinance, regulation, statute, treaty, by-

law, governmental directions, orders or guidelines or other legislative

measure in Malaysia;

(d) References to the singular number shall include references to the plural

number and vice versa;

CONFIDENTIAL

Page 38 of 75 CONFIDENTIAL

(e) Words denoting one gender include the other gender;

(f) Words denoting persons include corporations and vice versa and also

include their respective heirs, personal representatives, successors in

title or permitted assigns as the case may be;

(g) Where a word or phrase is given a defined meaning in this Agreement,

any other part of speech or other grammatical form in respect of such

word or phrase has a corresponding meaning;

(h) Any reference to “writing”, or cognate expressions, includes any

communication effected by prepaid registered post, electronic mail or

facsimile transmission; and

(i) Anything required by this Agreement to be done on a day which is a

Saturday, Sunday or public holiday shall be done and be valid if done on

the next succeeding day which is not such a day.

2. HEADINGS

2.1 The headings and sub-headings in this Agreement are inserted merely for

convenience of reference and shall be ignored in the interpretation and

construction of any of the provisions contained herein.

3. LANGUAGE

3.1 English is the governing language of this Agreement and shall prevail over any

translation that shall be made in this Agreement. All correspondences, notices

or other documents, drawings and diagrams required or permitted hereunder

shall be drawn up and annotated in English unless otherwise agreed by the

Parties.

4. RECITALS

4.1 The recitals of this Agreement shall have effect and be construed as an integral

part of this Agreement, but in the event of any conflict or discrepancy between

any of the provisions of this Agreement and the recitals, such conflict or

discrepancy shall, for the purposes of the interpretation and enforcement of this

Agreement, be resolved by giving the provisions contained in the clauses of this

Agreement priority and precedence over the provisions contained in the recitals

of this Agreement.

CONFIDENTIAL

Page 39 of 75 CONFIDENTIAL

5. SCHEDULES

5.1 The schedules to this Agreement shall have effect and be construed as an

integral part of this Agreement, but in the event of any conflict or discrepancy

between any of the provisions of this Agreement and the schedules, such

conflict or discrepancy shall for the purposes of the interpretation and

enforcement of this Agreement, be resolved by giving the provisions contained

in the clauses of the schedules priority and precedence over the provisions

contained in this Agreement.

6. DURATION OF THE AGREEMENT

6.1 The Parties to this Agreement shall continue to perform their respective duties

and obligations under this Agreement from the Commencement Date until

[day] [month] 2021 unless the duration is extended by mutual agreement of

the Parties or terminated earlier by either Party in accordance with the terms of

this Agreement or under the law.

6.2 The duration of this Agreement may be extended for a further period by mutual

consent of the Parties subject to performance evaluation of the Services to the

satisfaction of BNM and such extension shall be given effect by way of

exchange of letters duly signed by the Authorised Representatives at least one

(1) month prior to the expiry date of this Agreement. The extension of this

Agreement shall be effective from the date as specified in the letters.

7. REPRESENTATIONS AND WARRANTIES

7.1 The Company hereby represents and warrants to BNM that:

(a) it is a corporation validly existing under the laws of Malaysia;

(b) it has the corporate power to enter into and perform its obligations under

this Agreement and to carry out the Services and to carry on its business

as contemplated by this Agreement;

(c) it has taken all necessary corporate actions to authorise its signatory and

witness stated herein to execute this Agreement on its behalf to bind it

to enter into and perform this Agreement and to carry out the

transactions contemplated by this Agreement;

(d) as at the date of this Agreement, neither the execution nor performance

by the Company of this Agreement nor any transactions contemplated

by this Agreement shall violate in any respect any provision of:

CONFIDENTIAL

Page 40 of 75 CONFIDENTIAL

(i) its Constitution; or

(ii) any other document or agreement which is binding upon it or its

assets;

(e) to the best of its knowledge no litigation, arbitration, tax claim, dispute or

administrative proceeding is presently current or pending or, to its

knowledge, threatened, which is likely to have a material adverse effect

upon it or its ability to perform its financial or other obligations under this

Agreement;

(f) this Agreement constitutes a legal, valid and binding obligation of the

Company and is enforceable in accordance with its terms and

conditions;

(g) it has fulfilled all requirements under the law to undertake and to provide

the Services, including obtaining the relevant licenses or permits which

shall be valid throughout the period of this Agreement;

(h) it has the necessary financial and technical capabilities to undertake the

Services; and

(i) it shall provide the Services in good faith and meet the highest

professional standards,

and the Company acknowledges that BNM has entered into this Agreement in

reliance of its representations and warranties as aforesaid.

8. PRICE AND MANNER OF PAYMENT

8.1 BNM shall pay the Company the Price in the manner set out in Schedule B as

a consideration for the Company’s performance of the Services and other

obligations in accordance with this Agreement.

8.2 The Price shall be inclusive of any tax, duty or charge which is imposed by the

Government of Malaysia pursuant to Malaysian law from the Commencement

Date in respect of this Agreement.

8.3 BNM shall pay the Price to the Company within thirty (30) days from the date

of receipt of an invoice provided that –

(a) the invoice complies and contains all particulars required under the

Malaysian law including the following particulars:

CONFIDENTIAL

Page 41 of 75 CONFIDENTIAL

(i) the invoice serial number;

(ii) the date of the invoice;

(iii) the name, address and identification number of the Company;

(iv) the name and address of BNM;

(v) a description sufficient to identify the Services supplied which shall

be distinguished based on the type of Services, extent of the

Services and the amount payable excluding service tax;

(vi) any discount offered;

(vii) the total amount payable for the Services excluding sales or service

tax, the rate of sales or service tax and the total sales or service tax

chargeable shown as a separate amount or total amount payable

inclusive of total of sales or service tax chargeable;

(viii) the equivalent value in Ringgit of any amount at the selling rate of

exchange prevailing in Malaysia at the time of sale of the Services,

if expressed in a currency other than Ringgit;

(b) if the Services supplied under this Agreement are subject to the Sales

Tax under the Sales Tax Act 2018 or the Service Tax under the Service

Tax Act 2018, the Company shall furnish to BNM a proof of registration

as a taxable person under the relevant Act; and

(c) the Services supplied or any part of thereof are in accordance with this

Agreement.

8.4. BNM shall not bear any withholding tax, other taxes, duties or charges which

may be levied by the Government of Malaysia, where applicable, on the

Company.

8.5. The Company shall, upon prior agreement in writing by the Parties, provide

additional services which are not deemed as part of the Services (hereinafter

referred to as “Additional Services”) and shall be paid an additional price

(hereinafter referred to as “Additional Price”) in accordance with clause 8. The

Additional Price shall be mutually agreed in writing by the Parties prior to the

commencement of the Additional Services.

9. INFORMATION AND COORDINATION

9.1 The Company shall furnish BNM with such information relating to the Services

as BNM may from time to time reasonably request, and shall take all steps

necessary to clarify and confirm such information with BNM for the purposes of

the Services.

9.2 BNM shall furnish the Company with any information which the Company may

reasonably require from time to time to enable the Company to proceed with

the performance of this Agreement.

CONFIDENTIAL

Page 42 of 75 CONFIDENTIAL

10. LIABILITY

10.1 The Company shall not be liable to BNM for any loss or damage whatsoever

or howsoever caused arising in connection with this Agreement other than as

imposed by law.

11. RESTRICTION ON USE OF NAME AND MATERIALS

11.1 The Company shall neither use nor refer to BNM's name or logo, or in any other

manner in respect of this Agreement, without the prior written consent of BNM:-

(a) in the press;

(b) for advertising or promotional purposes; or

(c) to inform or influence any third party.

11.2 The Company agrees not to disclose to any third party that it has been retained

by BNM to provide the Services, unless the information is otherwise already

publicly available or as required under the law.

12. CONFIDENTIALITY

12.1 Each Party hereto undertakes to keep absolutely confidential all information,

specifications or documentation whatsoever concerning the business and

affairs of the other, obtained or received as a result of the discussions leading

to or during the execution or enforcement of this Agreement. The Parties'

obligation of confidentiality shall not apply to information which is:-

(a) already in the possession of each Party other than as a result of a breach

of this clause; or

(b) in the public domain other than as a result of a breach of this clause.

12.2 Each Party undertakes to the other to ensure that its employees, personnel,

agents or sub-contractors comply with the provisions of this clause.

12.3 Disclosure of confidential information pursuant to or under compulsion of a valid

order of a court of law or under the requirement of law is not prohibited; provided

that the Party making the disclosure pursuant to the court order or the

requirement of the law shall first have given notice, to the other Party whose

confidential information is required to be disclosed.

12.4 The foregoing obligations concerning confidentiality shall survive the

termination of this Agreement.

CONFIDENTIAL

Page 43 of 75 CONFIDENTIAL

13. SUB-CONTRACTS

13.1 The Company shall not, without the prior written consent of BNM, enter into any

sub-contract with any person for the performance of a material part of this

Agreement.

13.2 The Company shall not be relieved from any of its obligations hereunder by

entering into any sub-contract for the performance of any part of this

Agreement. If requested by BNM, and without disclosing any sensitive

commercial information, the Company shall promptly provide BNM with copies

of any sub-contracts.

14. ASSIGNMENT

14.1 Neither Party shall assign nor otherwise transfer this Agreement or any of its

rights and obligations hereunder whether in whole or in part without the prior

written consent of the other Party.

15. TIME

15.1 Time shall be the essence of this Agreement.

16. WHISTLEBLOWING

16.1 The Company shall as soon as possible, in writing or orally, inform any of the

designated persons of BNM listed in clause 16.5.1, upon having knowledge of

any member of Board of Directors, officer or employee of BNM, directly or

indirectly, asking for or receiving, any Gratification whether for his own personal

benefit or advantage or for the benefit or advantage of any other person, in

relation to this Agreement, whether before, during or after the term of this

Agreement.

16.2 The Company undertakes that neither it nor its Affiliate nor anyone acting on its

behalf shall, whether before, during or after the term of this Agreement, directly

or indirectly, give or offer, or agree to give or offer, any Gratification as an

inducement or reward to any member of Board of Directors, officer or employee

of BNM or any other person, for doing or forbearing from doing or for having

done or forborne from doing any act, or for showing or forbearing from showing

favour or disfavour to any person, in relation to this Agreement.

16.3 In the event BNM is satisfied that the Company, its Affiliate or anyone acting on

its behalf is in breach of clause 16.1 or 16.2, BNM may terminate this

Agreement (without prejudice to BNM’s other rights and remedies under the

law) by giving a prior written notice of one (1) day to the Company. Upon such

CONFIDENTIAL

Page 44 of 75 CONFIDENTIAL

termination, BNM shall be entitled to claim all losses, costs, damages and

expenses including any incidental costs and expenses incurred by BNM arising

from such termination. The Company shall not be entitled to recover from BNM

any loss or damages sustained or incurred by the Company as a consequence

of such termination.

16.4 Notwithstanding any other provision in this Agreement but subject to any written

law, BNM shall keep confidential any information disclosed or received under

clause 16 including the identity of the person giving such information and all the

circumstances relating to such information.

16.5 For purposes of clause 16:

16.5.1 The designated persons of BNM are as follows:

(a) Governor, if the information relates to -

(i) any member of BNM’s Board of Directors including Deputy

Governor;

(ii) Assistant Governor;

(iii) General Counsel; or

(iv) Director of LINK and BNM Offices;

(b) Chairman of Board Risk Committee, if the information relates to

Governor; and

(c) General Counsel or Director of LINK and BNM Offices, if the

information relates to any officer or employee of BNM other than

those identified under (a) above.

16.5.2 ‘Affiliate’ means in relation to the Company, any person or entity

controlled directly or indirectly by the Company, or any person or entity that

controls directly or indirectly the Company in any way whatsoever.

16.5.3 ‘Gratification’ includes any gift, money, property or thing of value, or any

service, favour or other intangible benefit or consideration of any kind, or any

other similar advantage.”

17. NOTICES

17.1 All notices which are required to be given hereunder shall be in writing and shall

be sent to the address of the recipient as set out in Schedule A or such other

address in Malaysia as the recipient may designate by notice given in

accordance with the provisions of this clause.

17.2 Any notice given in conformity with the foregoing sub-clause shall be deemed

to have been given at any of the following times as may be appropriate:

CONFIDENTIAL

Page 45 of 75 CONFIDENTIAL

(a) when it is delivered by hand at the time when it is so delivered on a

working day;

(b) when it is sent by prepaid registered post on the second working day

following that on which the notice was put into the post; and

(c) when the notice is sent by electronic mail or facsimile, on the first working

day after it was sent.

18. VARIATION

18.1 It is hereby expressly agreed and declared by the Parties hereto that

notwithstanding any of the provisions of this Agreement to the contrary, the

provisions and terms of this Agreement may at any time and from time to time

be varied or amended by mutual consent of the Parties hereto by means of a

mutual exchange of letters signed by the Authorised Representative of each

Party. Such amendments and variations shall be deemed to become effective

and the relevant provisions of this Agreement shall be deemed to have been

amended or varied accordingly and shall be read and construed as if such

amendments and variations have been incorporated therein as from the date

specified in the exchange of letters.

19. GOVERNING LAW

19.1 This Agreement shall be governed by and construed in accordance with the

laws of Malaysia.

20. SETTLEMENT OF DISPUTES

20.1 The Parties shall, in good faith, attempt to settle amicably and mutually, any

disputes or conflicts arising from this Agreement.

20.2 All disputes, conflicts or differences arising between the Parties from this

Agreement, or breach, termination or illegality thereof, which cannot be

resolved by the Parties within a period of fourteen (14) days under clause 20.1,

shall be finally settled by arbitration in accordance with the manner and rules

stipulated in clause 21.

20.3 The Parties’ performance of obligations under this Agreement shall neither

cease during any arbitration proceedings nor shall the Parties be released from

any obligations hereunder by the institution of any arbitration proceedings.

21. ARBITRATION

21.1 Any unresolved dispute controversy or claim between BNM and the Company

shall be referred to and finally resolved by arbitration in Malaysia by an arbitrator

CONFIDENTIAL

Page 46 of 75 CONFIDENTIAL

to be agreed upon between the Parties or, failing agreement within fourteen

(14) days after either Party has given to the other a written request to agree to

the appointment of an arbitrator, a person to be nominated by the Director of

the Asian International Arbitration Centre at the request of either Party. The

arbitration shall be in accordance with the Arbitration Act 2005 and the

Arbitration Rules for Asian International Arbitration Centre for the time being in

force which rules are deemed to be incorporated by reference into this clause.

21.2 The arbitration award shall be final and binding on the Parties and judgment

upon the award entered in arbitration may be entered in any court of competent

jurisdiction.”

22. TERMINATION

22.1 This Agreement may be terminated forthwith by either Party on giving thirty (30)

days’ prior written notice to the other.

22.2 Notwithstanding the above, the Company shall obtain the written consent of

BNM if the Company wishes to terminate this Agreement under clause 22.1 and

if required by BNM, the Company shall provide BNM with solutions(s) mutually

acceptable to the Parties to address the problem(s) encountered by BNM

arising from such termination.

22.3 The Company shall not be entitled to terminate this Agreement under clause

22.1 if the Company fails to propose a solution(s) to BNM or if the solution(s)

proposed by the Company under clause 22.2 is not acceptable to BNM.

22.4 Notwithstanding clause 22.1 to 22.3 above, either Party may give a thirty (30)

days’ prior written notice to the other Party to terminate this Agreement, if:

(a) the other Party is in material breach of any terms, conditions, warranties

or any provisions of this Agreement and has failed to remedy that

breach, having been given sixty (60) days’ written notice to remedy the

breach, except as otherwise provided in this Agreement; or

(b) the other Party commits an act of bankruptcy, or a receiving order is

made against it, or it makes or negotiates for any composition or

arrangement for the benefit of its creditors or if a petition for its winding-

up has been presented against it in a court of competent jurisdiction, or

it becomes insolvent or ceases to carry on its business.

CONFIDENTIAL

Page 47 of 75 CONFIDENTIAL

22.5 Each Party shall fulfil all its obligations under this Agreement pending the

effective date of termination upon the issuance of notice under this clause. BNM

shall allow the personnel or agents of the Company to enter BNM’s premises

for the purpose of carrying out its outstanding obligations.

22.6 Any termination under clause 22.1 shall discharge the Parties from any liability

for further performance of this Agreement and BNM shall be entitled to be

repaid forthwith any sums previously paid in advance under this Agreement in

respect of the Services that were not provided in accordance with Schedule C

hereunder prior to the effective date of termination. In the event BNM terminates

this Agreement under clause 22.4, BNM may recover from the Company the

amount of any loss or damage suffered or incurred by BNM as a consequence

of such termination.

22.7 Termination of this Agreement shall not affect the accrued rights or

corresponding obligations of the Parties under this Agreement in so far as they

are capable of subsisting.

23. FORCE MAJEURE

23.1 The Parties hereto shall not be liable for failures or delays in performing their

obligations hereunder arising from any cause beyond their control, including but

not limited to, act of God, acts of civil or military authority, fires, strikes, lockouts

or labour disputes, epidemics, wars, riots, earthquakes, storms, typhoons and

floods and in the event of any such delay, the time for either Party's

performance shall be mutually extended for a period equal to the time lost by

reason of the delay. Save where such delay is caused by the act or omission

of the other Party in which event the rights, remedy and liabilities of the Parties

shall be those conferred and imposed by the terms of this Agreement and by

law.

23.2 In the event of any delay, the delaying Party shall promptly notify the other in

writing of the reasons for the delay and the likely duration of the delay, whereby

the performance of such Party’s obligations shall be mutually suspended during

the period that the conditions specified in the foregoing sub-clause persist and

such Party shall be mutually granted an extension of time for performance equal

to the period of the delay. Provided that if the conditions shall continue beyond

the duration of thirty (30) consecutive days, either Party may terminate this

Agreement forthwith by written notice to the other Party.

CONFIDENTIAL

Page 48 of 75 CONFIDENTIAL

24. WAIVER

24.1 Failure or neglect by either Party to enforce at any time any of the provisions

hereof shall not be construed nor deemed to be a waiver of the Party's rights

hereunder nor in any way affect the validity of the whole or any part of this

Agreement nor prejudice the Party's rights to take subsequent actions.

25. LEGAL FEES AND STAMP DUTY

25.1 Each Party shall bear its own legal fees and the stamp duty incurred herein

shall be borne by the Company.

26. SURVIVAL AND SUCCESSION

26.1 Terms or clauses related to confidentiality, whistle blowing, conduct of the

company and its personnel, intellectual property rights and indemnity, and

liability of this Agreement shall survive any termination of this Agreement.

26.2 The Agreement, in its entirety, shall inure to the benefit and be binding on the

successors, heirs and assigns of the Parties and the liability provision in clause

10 shall be extended to any affiliates, shareholders, personnel and employees

of either the Parties, as the case may be, and any successors, heirs and

assigns of any such person or entity.

27. SEVERABILITY

27.1 In the event that any of the terms, conditions or provisions contained in this

Agreement shall be deemed invalid, unlawful or unenforceable to any extent,

such term, condition or provision shall be severed from the remaining terms,

conditions and provisions which shall continue to be valid to the fullest extent

permitted by law.

28. INTELLECTUAL PROPERTY RIGHTS AND INDEMNITY

28.1 All contents and data provided in relation to the Services (collected, submitted,

processed and analysed by the Services) shall be and remain the sole property

of BNM, except any commercial data which BNM is not granted the license for.

BNM, as the proprietary, has the right to instruct the Company to securely

dispose any data at the end of service.

28.2 The Company shall indemnify BNM and hold BNM harmless. at its own

expense, in respect of any claim or action by a third party in the event that the

contents provided in relation to the Services infringes the intellectual property

rights (including without limitation any patent, copyright, registered design or

trademark) of any third party, provided that BNM:

CONFIDENTIAL

Page 49 of 75 CONFIDENTIAL

(a) promptly notifies the Company of any allegations of intellectual property

infringement forthwith upon becoming aware of the same;

(b) at the Company's request and expense, shall allow the Company or any

other party which the Company may nominate, either severally or jointly,

the right to conduct and/or settle all negotiations and litigation resulting

from any such claim, subject to the following conditions:

(i) the Company giving to BNM reasonable security as, from time to

time, required by BNM to cover the amount ascertained or agreed

or estimated, as the case may be, of any compensation,

damages, expenses and costs for which BNM may become liable;

and

(ii) the Company taking over such conduct within a reasonable time

after being notified of the claim in question; and

(c) shall, at the request of the Company, afford all reasonable assistance with such

negotiations or litigation, and shall be reimbursed by the Company for any out-of-

pocket expenses incurred in so doing.

28.3 The indemnity given under clause 28.2 shall not apply to infringement arising

out of the use of the contents provided by the Company in relation to the

Services outside of the Location including external distribution, production,

duplication or copied by any means, in whole or in part, without the prior written

consent of the Company.

29. PERSONAL DATA PROTECTION

29.1 Where the Company provides to BNM personal data of the Company’s

employees who shall be performing any part of the Services under this

Agreement (hereinafter be referred to as “Data Subjects”), the Company:

(a) shall obtain the consent of each Data Subject to allow BNM to process

the personal data of the Data Subject in accordance with the Personal

Data Protection Act 2010 (hereinafter referred to as “the PDPA”);

(b) undertakes that each Data Subject has read and understood BNM’s

Personal Data Protection Notice as set out in Schedule D;

(c) pursuant to clause 29.1(a), the Company shall submit to BNM prior to

the commencement of any part of the Services, the Personal Data

CONFIDENTIAL

Page 50 of 75 CONFIDENTIAL

Protection Consent form (hereinafter referred to as “the Consent form”)

that has been duly signed by each Data Subject; and

(d) in the event of any change to the Data Subjects, the Company shall

immediately require the new Data Subject to sign the Consent form and

submit the duly signed Consent form to BNM prior to the new Data

Subject performing any part of the Services.

29.2 Notwithstanding any clause to the contrary, the Company shall indemnify BNM

and keep BNM fully and effectively indemnified against all costs, claims

demands, expenses and liabilities of whatsoever nature arising out of or in

connection with any claim that the use or possession of the Personal Data by

BNM under clause 29.1 is in breach of any of the requirements under the PDPA.

30. DECLARATION OF RELATIONSHIP 30.1 The Company declares that –

(a) it is not an entity –

(i) in which BNM has significant influence in respect of financial and

operating decisions;

(ii) controlled by BNM by virtue of BNM’s shareholding, BNM’s

control of its board’s composition, BNM’s funding, the Company

being BNM’s subsidiary or associate, or the Company being the

subsidiary of BNM’s subsidiary or BNM’s associate; and

(b) neither the Company’s director nor person who has control and

significant influence over the Company is –

(i) BNM’s Key Management Personnel (BNM KMP);

(ii) the Close Family Member of BNM KMP;

(iii) the Close Family Member of BNM staff;

other than those already informed in writing to BNM .

30.2 During the tenure of the Agreement, the Company shall inform BNM in writing

within seven (7) days in accordance with the format set out in Schedule F within seven (7) days upon having knowledge of the existence of any relationship mentioned in clause 30.1 above.

30.3 Without prejudice to BNM’s other rights and remedies, BNM may terminate the

Agreement in the event that the Company fails to comply with clause 30. 30.4 For purposes of clause 30:

(a) “Key Management Personnel” of BNM are as follows – (i) Governor; (ii) Deputy Governor; (iii) Assistant Governor or equivalent;

CONFIDENTIAL

Page 51 of 75 CONFIDENTIAL

(iv) Board of Directors; or (v) any head of departments.

(b) “Close Family Member of the Key Management Personnel ” are as

follows – (i) spouse(s); (ii) children and their spouses; or (iii) dependants;

(c) “Close Family Member of BNM staff” are as follows –

(i) spouse(s); (ii) children and their spouses; (iii) dependants; (iv) parents; (v) parents in-law; (vi) siblings; or (vii) sibling's spouse and their children.

31. CONDUCT OF THE COMPANY AND ITS PERSONNEL

31.1 Before, during and after the duration of this Agreement, the Company shall

comply with BNM’s Vendor Code of Conduct (“VCOC”) provided in Schedule

E, including any updated versions of the VCOC published by BNM on its

website (http://www.bnm.gov.my).

31.2 The Company shall ensure that its employees and personnel have read and

understood the obligations specified in the VCOC.

31.3 The Company and its employees and personnel shall undertake to:

(a) notify BNM promptly of any breach, including possible breach, of the

VCOC, that it knows or has reason to believe has occurred or is likely to

occur; and

(b) co-operate fully with BNM on any investigations into any breach,

including possible breach, of the VCOC, including providing any

information requested by BNM.

B. Change of Personnel

31.4 The Company undertakes that the Personnel shall be available to perform the

Services to the satisfaction of BNM throughout the period of this Agreement.

During the duration of this Agreement, the Personnel shall be exclusively under

the supervision, direction and control of the Company.

31.5 The Company shall not change any of the Personnel without cause and without

the prior written consent of BNM. Failure on the part of the Company in

CONFIDENTIAL

Page 52 of 75 CONFIDENTIAL

complying with this requirement shall entitle BNM (without prejudice to BNM’s

other rights and remedies under the law) to claim for any loss or damage

sustained by BNM resulting from the failure on the part of the Company to

comply with the provision of the Personnel under clause 31.4.

31.6 In the event there is a need by the Company to change the Personnel due to

reasonable grounds accepted by BNM in writing, the Company shall provide

alternative Personnel who are of equal or better skill and knowledge and who

are accepted in writing by BNM. The Company shall provide BNM with a thirty

(30) working days written notice prior to the date of change of such Personnel.

In the event of failure on the part of the Company to give sufficient notice to

BNM or the alternative Personnel are not acceptable to BNM, BNM has a right

to terminate this Agreement and the Company shall (without prejudice to BNM’s

other rights and remedies under the law) forthwith refund to BNM all sums

previously paid to the Company under this Agreement.

31.7 BNM may at any time make objections to any of the Personnel provided in

clause 31.4 and to any alternative Personnel provided in clause 31.6. Upon

receipt of a written objection from BNM, the Company shall within a reasonable

time acceptable to BNM replace the Personnel to whom objection has been

made.

C. Security and Access

31.8 BNM shall, for the purposes of this Agreement, provide access to the premises

to the Personnel during normal working hours for the purposes of carrying out

of the Company’s obligations under this Agreement. BNM reserves the right to

refuse access to the Personnel who are in its absolute opinion unfit to be at the

premises. The Personnel shall strictly comply with BNM’s security procedures

and policies for access to the premises and throughout the period the Personnel

is at the premises.

[END OF CLAUSES]

CONFIDENTIAL

Page 53 of 75 CONFIDENTIAL

IN WITNESS WHEREOF the Parties hereto have executed this Agreement on the

date first written above.

Signed by )

for and on behalf of )

BANK NEGARA MALAYSIA )

(Authorised signatory)

Name:

NRIC No.:

Designation:

(Witness signatory)

Name:

NRIC No.:

Designation:

Signed by )

for and on behalf of )

[insert company name] )

(Company No.: XX) )

(Authorised signatory)

Name:

NRIC No.:

Designation:

(Witness signatory)

Name:

NRIC No.:

Designation:

CONFIDENTIAL

Page 54 of 75 CONFIDENTIAL

SCHEDULE A

AUTHORISED REPRESENTATIVES AND ADDRESSES

1. The Authorised Representatives of the Parties are as follows:-

(a) BNM: (i) Director, Risk Specialist and Technology Supervision Department, or in the absence of Director,

(ii) Deputy Director, Risk Specialist and Technology

Supervision Department (b) Company: (i) [name] [designation] (ii) [name] [designation]

2. Address of the Parties shall be as follows:-

To BNM: Director Risk Specialist and Technology Supervision Bank Negara Malaysia 1C, Jalan Dato’ Onn 50480, Kuala Lumpur Telephone No: The Company: [name of company] [address]

Telephone No: XX Facsimile No: XX (Attention: [name])

(END OF SCHEDULE A)

CONFIDENTIAL

Page 55 of 75 CONFIDENTIAL

SCHEDULE B

PRICE 1. Price

In consideration of the Company’s due performance of the Products and Services and

other obligations under this Agreement, BNM shall pay the Company the Price of:

Malaysian Ringgit: [value] (MYRXX) only as follows:

Packages

Subscribed Period

Amount

exclusive of

SST (MYR)

SST (6%)

(MYR)

Amount

inclusive of

SST (MYR)

Cybersecurity

Risk Rating

Tool

XX XX 2020 -

XX XX 2021 XX XX XX

TOTAL XX XX XX

The payment structure of the Price shall be as follows:

(The table below is for illustrative purpose only, the confirmed payment structure is subjected to the contract finalisation)

Payment structure for the Products and Services

Item

Description

Amount exclusive of

SST (RM)

SST (6%) (RM)

Amount inclusive of SST (RM)

Payment schedule

1. Cybersecurity Risk Rating Tool XX XX XX

[insert date of payment here]

TOTAL XX XX XX

Note:

Payment shall be made in accordance with the above stated payment schedule. If

in the reasonable opinion of BNM, the Company is in breach of any part of this

Agreement, BNM shall be entitled to be refunded with the portion of the Price for

Services which are not yet rendered and Services which are affected arising from

the Company’s breach of the Agreement by the Company without prejudice to any

other rights or remedies that may have accrued to BNM under the law or in this

Agreement and to the continuance in force of the appointment of the Company

under this Agreement.

CONFIDENTIAL

Page 56 of 75 CONFIDENTIAL

2. Manner of Payment

The payment of the Price referred to in paragraph 1 shall be payable by BNM to

the Company via electronic funds transfer into the account specified as follows:

(a) Name and address of bank:

(b) Account Number:

(c) Account type:

(d) Account Scheme

(END OF SCHEDULE B)

CONFIDENTIAL

CONFIDENTIAL

SCHEDULE C

PRODUCTS AND SERVICES

The Company shall provide the following Products to BNM:

a) Cybersecurity Risk Rating Tool

The Company shall provide the following Services to BNM:

b) Set up and commission the Cybersecurity Risk Rating Tool as per BNM’s requirements; a) Provide a implementation plan with detailed timeline; b) Provide 24/7 support, training and maintenance throughout the contract period; c) Ensure uninterrupted 24x7 services and support, designed with high availability and

comprehensive backup; d) Ensure sound and secure operation of the service; e) Provide a solution that applies various analytical techniques to efficiently build risk profiles

of the financial institutions based on various context and metadata. f) Enable a real time intelligence-led solution that is based on a consistent rating methodology

capable of presenting analysed intelligence in a manageable and actionable way g) Provide continuous visibility on potential external risks and automatically calculate a

dynamic cyber-risk rating for each financial institution to develop a comparative benchmark of the cyber risk landscape of the financial sector

h) Provide necessary technical support for any integration via API between Cybersecurity Risk Rating Tool and other systems;

i) Adhere to industry standard cybersecurity hygiene such as ENISA cyber hygiene; j) Ensure all data are not processed or used for any other purpose that is out of scope of

Cybersecurity Risk Rating Tool services; k) Provide user manuals and on-boarding training and/or knowledge sharing sessions to BNM

and Cybersecurity Risk Rating Tool users; l) Provide continuous industry cyber-risk situational awareness via dynamic rating, actionable

information and recommendations for security controls m) Provide impact analysis of threat trends affecting the industry, technology or region/global; n) Provide user-friendly and intuitive dashboard and reporting, with search and analysis

functionalities; o) Ensure secure data disposal (for data provided by BNM) at the end of service or at the

termination of service.

(END OF SCHEDULE C)

CONFIDENTIAL

Page 58 of 75

SCHEDULE D

PERSONAL DATA PROTECTION NOTICE

TO VENDORS / PROVIDERS OF GOODS/SERVICES Purpose of notice 1. This notice is issued pursuant to the requirements under the Personal Data Protection Act 2010 (PDPA) to all individuals who are vendors/providers of goods/services or the individual employees of the vendors/providers of goods/services –

(iii) engaged by Bank Negara Malaysia (BNM); or (iv) who submits any RFI/tender/proposal to BNM for such purpose, (referred to as “vendors”).

Tujuan Notis 1. Notis ini dikeluarkan selaras dengan keperluan-keperluan Akta Perlindungan Data Peribadi 2010 (APDP) kepada semua individu yang menjual/ membekal barangan/perkhidmatan atau pekerja penjual/pembekal barangan/perkhidmatan yang –

(iii) dilantik oleh Bank Negara Malaysia (BNM); atau (iv) menghantar apa-apa RFI/tender/tawaran untuk tujuan tersebut (dirujuk sebagai “pembekal”).

Processing of personal data 2. During the course of its dealings with you, BNM processes personal data of the vendors which include, but is not limited to, your name, IC number, address and other contact details. Pemprosesan Data Peribadi 2. Sepanjang tempoh urusan BNM dengan anda, BNM memproses data peribadi pembekal, termasuk, tetapi tidak terhad kepada, nama, nombor kad pengenalan, alamat dan maklumat hubungan lain. Purpose of processing personal data 3. The personal data is collected for, amongst others, the following purposes:

(e) assessing your suitability to be awarded the contract for which you have applied; (f) enforcing the rights and obligations in the contracts, including but not limited to, making payments for the

goods/services and maintaining the list of key personnel who will be responsible to carry out the rights and obligations of the vendors under the contracts;

(g) providing access to BNM’s premises; and (h) complying with any legal or regulatory requirements, including but not limited to, compliance with the withholding tax

requirements, or as permitted by law or authorised by any order of court. Tujuan Pemprosesan Data Peribadi 3. Data peribadi dikumpul bagi, antara lain, tujuan-tujuan berikut:

(e) menilai kesesuaian anda mendapat kontrak yang telah anda pohon; (f) melaksanakan hak-hak dan obligasi dalam kontrak-kontrak, termasuk tetapi tidak terhad kepada, membuat

pembayaran untuk barangan/ perkhidmatan dan menyimpan senarai kakitangan utama yang akan bertanggungjawab untuk menjalankan hak dan obligasi pembekal menurut kontrak-kontrak tersebut;

(g) memberi akses kepada premis BNM; dan (h) mematuhi mana-mana keperluan undang-undang peraturan, termasuk tetapi tidak terhad kepada pematuhan terhadap

keperluan cukai pegangan, atau seperti yang dibenarkan oleh undang-undang atau diberi kuasa oleh perintah mahkamah.

Disclosure of personal data 4. The personal data held by us shall be kept confidential. However, in order to exercise our rights and obligations under the contracts or to evaluate your RFI/tender/proposal to BNM, we may disclose your personal data to:

Departments within BNM;

Financial institutions;

Other parties authorised by you;

Regulatory and governmental agencies as permitted or required by law, authorised by any order of court or to meet obligations to regulatory authorities.

Pendedahan Data Peribadi 4. Data peribadi yang disimpan oleh BNM akan disimpan secara sulit. Walau bagaimanapun, bagi melaksanakan hak-hak dan obligasi di bawak kontrak atau untuk menilai RFI/tender/cadangan anda kepada BNM, BNM mungkin akan mendedahkan data peribadi anda kepada:

Jabatan-jabatan di dalam BNM;

Institusi kewangan;

Pihak lain yang anda benarkan;

Agensi penguatkuasa dan kerajaan sepertimana yang dibenarkan atau dikehendaki oleh undang-undang, dibenarkan oleh mana-mana perintah mahkamah atau untuk memenuhi obligasi kepada mana-mana pihak penguatkuasa.

Protection of personal data 5. The security of your personal data is ensured by BNM as we shall take all physical, technical and organisational measures needed to ensure the security and confidentiality of your personal data. If we disclose any of your personal data to any entities, we will require them to appropriately safeguard the personal data provided to them. Perlindungan data peribadi 5. Keselamatan data peribadi anda adalah dijamin oleh BNM kerana kami akan mengambil semua langkah fizikal, teknikal dan organisasi yang diperlukan bagi memastikan keselamatan dan kerahsiaan data peribadi anda. Sekiranya kami mendedahkan data peribadi anda kepada mana-mana pihak, kami akan memastikan bahawa pihak tersebut mengambil langkah yang

CONFIDENTIAL

Page 59 of 75

sepatutnya bagi memastikan keselamatan data peribadi yang diberi kepada mereka. Retention of personal data 6. It is BNM’s policy to destroy personal data of the vendors within seven (7) years after the contract has been awarded or after the conclusion of the contract, whichever is applicable. Penyimpanan data peribadi 6. Ianya merupakan polisi BNM untuk memusnahkan data peribadi pembekal dalam tempoh tujuh (7) tahun selepas kontrak telah diberi atau selepas kontrak telah selesai, di mana ia terpakai. Access of personal data 7. Under the PDPA, you have the right to access your personal data to ensure that the personal data we hold about you is accurate, complete, not misleading and up-to-date. If you wish to exercise such rights and request access to your personal data, please contact us by completing our “Personal Data Access/Correction Request Form” (as attached) and forwarding it to:- Name : Designation : Address : Direct Line : Facsimile No. : Email address : Akses kepada data peribadi 7. Di bawah PDPA, anda mempunyai hak untuk mengakses data peribadi anda untuk memastikan data yang kami simpan mengenai anda adalah tepat, lengkap, tidak menyeleweng dan terkini. Jika anda ingin menggunakan hak tersebut dan memohon akses kepada data peribadi anda, sila hubungi kami dengan mengisi “Borang Akses/Pembetulan Data Peribadi” (seperti yang dilampirkan) dan hantarkan ke:-

Kindly sign and acknowledge Consent Form below by e-mail to faramelissa@bnm.gov.my or fax +603-91792158 that you have read and understood this Notice and you consent to the processing of your personal data by BNM. Sila tandatangan dan maklumkan kepada kami penerimaan Notis ini melalui e-mel ke faramelissa@bnm.gov.my atau faks +603 – 91792159 bagi menyatakan bahawa anda telah membaca dan memahami Notis ini dan anda membenarkan pemprosesan data peribadi anda oleh pihak BNM.

CONSENT FORM

To : Bank Negara Malaysia I hereby acknowledge that I have read and understood this Personal Data Protection Notice and by signing this, I consent to the processing of my personal data by BNM in accordance with the terms of this Notice. Saya dengan ini mengakui yang saya telah membaca dan memahami Notis Perlindungan Data Peribadi ini dan dengan menandatangani dokumen ini saya membenarkan pemprosesan data peribadi saya oleh BNM berdasarkan syarat-syarat di dalam Notis ini.

------------------------- Name / Nama :

I/C No :

Date/ Tarikh :

CONFIDENTIAL

Page 60 of 75

Personal Data Access/Correction Request Form

NAME

IC NO/STAFF ID TEL. NO/EXT.

NO

EMAIL ADD.

TYPE OF REQUEST & TYPE OF PERSONAL

DATA

REASON

- I hereby request to access/correct my personal data that is being processed by * ..............................

………………………………………………………………………………………… (hereinafter ‘the data

user’).

- I confirm that the details above are correct and acknowledge that should there be any incorrect or

incomplete information or any circumstances provided under section 32 of the Personal Data Protection

Act 2010, the data user may refuse to give me access to my personal data.

- I also acknowledge that if the data user, for whatever reason, is unable to comply with this request

within 21 days from today, they would notify me in writing, explaining the reasons, before the 21 days

has lapsed.

- I confirm that all correction that I would make to my personal data, if any, is correct and up-to-date.

SIGNATURE

DATE

* Please fill in the name of the department that processes the personal data.

……………………………………………………………………………………………………………………....

To be filled in by the data user as an acknowledgment of receipt:

NAME

STAFF ID EXT. NO

SIGNATURE

DATE

CONFIDENTIAL

Page 61 of 75

Borang Permohonan Akses/Pembetulan Data Peribadi

NAMA

NO KP/ID STAF NO TEL/NO

SAMB.

ALAMAT EMEL

JENIS PERMOHONAN & JENIS DATA PERIBADI

TUJUAN

- Saya dengan ini ingin memohon akses/membuat pembetulan kepada data peribadi saya yang sedang

diproses oleh * ..............................………………………………………………………...................

…………………………………………………(yang mana selepas ini disebut sebagai ‘pengguna data’).

- Saya mengesahkan bahawa maklumat-maklumat di atas adalah benar dan mengambil maklum

bahawa pengguna data berhak untuk tidak memberikan akses data peribadi saya kepada saya

sekiranya maklumat di atas mengandungi sebarang kesilapan ataupun tidak lengkap atau terdapat

mana-mana keadaan seperti yang diperuntukkan di bawah seksyen 32 Akta Perlindungan Data

Peribadi 2010.

- Saya juga jelas bahawa, sekiranya permohonan ini gagal, oleh apa-apa sebab sekalipun, pengguna

data akan memaklumkan kepada saya secara bertulis dalam masa 21 hari bermula daripada hari ini

untuk menerangkan sebab-sebab permohonan saya ditolak.

- Saya mengesahkan bahawa semua pembetulan yang akan saya lakukan terhadap data peribadi saya,

jika ada, adalah betul dan terkini.

TANDATANGAN

TARIKH

* Sila nyatakan nama jabatan yang memproses data peribadi anda. ………………………………………………………………………………………………………………………… Untuk diisikan oleh pengguna data sebagai bukti penerimaan:

NAMA

ID STAF NO SAMB.

TANDATANGAN

TARIKH

(END OF SCHEDULE D)

CONFIDENTIAL

Page 62 of 75

SCHEDULE E

VENDOR CODE OF CONDUCT

Please refer to the attached Vendor Code of Conduct *For declaration of relationship pursuant to clause 30, please disregard Appendix 2 of the VCOC and refer to Schedule F.

(END OF SCHEDULE E)

CONFIDENTIAL

Page 63 of 75

SCHEDULE F

BANK NEGARA MALAYSIA (BNM) DECLARATION OF RELATIONSHIP BY VENDOR*

Name of Contract : _____________________________________________________ Vendor’s Name and : _____________________________________________________ Company No. (if applicable) I, ______________________________________ (NRIC No./Passport No.: ______________________), the undersigned / acting as the authorised representative of the Vendor, hereby declare that – Section A: To be filled if Vendor is an individual

I am a Close Family Member of BNM KMP** or Close Family Member of BNM staff***

Section B: To be filled if Vendor is an entity

BNM has significant influence over the Vendor in respect of its financial and operating decisions

The Vendor is controlled by BNM by virtue of BNM’s shareholding, BNM’s control of its board’s composition, BNM’s funding, the Vendor being BNM’s subsidiary or associate, or the Vendor being the subsidiary of BNM’s subsidiary or BNM’s associate

The director or person who has control or significant influence over the Vendor as listed in the schedule below is BNM KMP****, Close Family Member of BNM KMP** or Close Family Member of BNM staff***:

No Name Position

in Vendor

Name of BNM KMP or BNM staff, if applicable

Relationship, if applicable

1. 2.

I hereby declare that I have carefully read and completed this form myself and provided current and accurate information to the best of my knowledge.

Signature

Name of Signatory Position Date:

FOR BNM’S OFFICIAL USE ONLY

No Name Relationship 1. 2.

* “Vendor” refers to BNM’s counterparty under the Contract as named above which or who is referred to in the Contract as either the Service Provider, Supplier, Company, Tenant, Landlord, Consultant, or any other name.

** “Close Family Member of BNM KMP” refers to the spouse, children and their spouses, dependants, of BNM’s Key Management Personnel (BNM KMP)

*** “Close Family Member of BNM staff” refers to spouse, children and their spouses, dependants, parents, parents in-law, siblings, sibling's spouse and their children, of BNM staff

**** “BNM KMP” refers to BNM’s Governor, Deputy Governors, Assistant Governors and equivalent, BNM’s Board of Directors and Directors / Heads of Departments.

CONFIDENTIAL

Page 64 of 75

Confirmation of receipt by budget owner or assigned department:

Signature

Name Department Date

Confirmation of receipt by Strategic Human Capital Department:

Signature

Name

Date

Confirmation of receipt by Board Secretariat Unit:

Signature

Name

Date

(END OF SCHEDULE F)

CONFIDENTIAL

Page 65 of 75

APPENDIX D

Implementation of Cyber Security Risk Rating Tool

SECTION A.1 - STATEMENT OF COMPLIANCE WITH BASE TENDER (TO BE TYPED ON THE TENDERER'S OFFICIAL LETTERHEAD) BANK NEGARA MALAYSIA Jalan Dato’ Onn 50480 Kuala Lumpur Dear Sir Implementation of Cyber Security Risk Rating Tool STATEMENT OF COMPLIANCE Having examined the Request for Proposal (RFP) document, addenda and clarifications, we warrant that for the Base Tender, our tender submission fully / partially complies with the provisions of the above said Request for Proposal (RFP) document, addenda and clarifications without any deviation, exception or qualification. Date this .............................. day of .............................. 2020 Signature ...................................................……… Name ........................................................…. Designation ....................................................……. Company Stamp ........................................................... Witness Signature ...................................................……… Name ........................................................…. NRIC No. ....................................................…….. Address ....................................................…….. ....................................................…….. ....................................................……..

RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL

66

SECTION A.2 – COMPLIANCE MATRIX

A.2.1 TECHNICAL & BUSINESS REQUIREMENTS (Details of the requirements are provided in Part B, Section 3 and 4 of the main Request for Proposal document) Part B: Section 3.0 – Technology and Service Requirements

NO REQUIREMENT COMPLIANCE STATEMENT

JUSTIFICATION

2.2 The cyber risk rating tool is to be delivered by the Tenderer to BNM on a subscription based model.

3.0 Cyber Security Risk Rating Tool Requirements (Technical Requirements)

3.1.1 General

3.1.1.1 The proposed solution must be delivered on a subscription model and may be integrated as cloud-based components.

3.1.1.2

The proposed solution’s web interface must be supported at minimum by prevailing browsers such as Microsoft Internet Explorer, Microsoft Edge, Google Chrome and Apple Safari. Optionally, the proposed solution may also be accessed via mobile application supported by Apple iOS and Google Android

3.1.1.3

The Tenderer must ensure that the proposed service is secure and any data provided by BNM on related FIs are retained securely and confidentially

3.1.1.4 The Tenderer must provide support and maintenance throughout the contract period (preferably by onsite/customer call centre);

3.1.1.5

The Tenderer must be able to provide general support and usability training for users as required by BNM. All user manuals must also be provided and updated if required.

3.1.1.6

All financial institutions data submitted by BNM which are processed and analysed by the tool are owned by BNM and respective financial institutions.

3.1.1.7 All data as mentioned in 3.1.1.6 must not be processed or used for any other purpose

3.1.1.8

The proposed solution is required to be able to retain at least twelve (12) months of online data for analysis purposes and provide options for exporting / archiving post duration data either automatically or manually.

3.1.1.9

The proposed solution must be capable to provide user activity log or user audit trail. These logs and audit trail must be kept for a minimum of twelve (12) months period.

3.1.2.1 Data Source and Exporting

3.1.2.2 The proposed solution must be able to automatically collect and analyse external

RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL

67

risk indicators or information from a wide range of sources such as, but not limited to, surface, deep and dark web channels.

3.1.2.3

The proposed solution must be capable to export/archive data in a variety of data formats, either automatically or manually, all of which can be configured through the user interface (web portal), such as, but not limited to:

API;

CSV;

PDF, Word, Txt; and

XML;

Please cite if the solution can support format

other than mentioned above.

3.1.2.3 The proposed solution should be able to support data restoration capabilities for a variety of data formats

3.1.3 Rating Tool Requirements

3.1.3.1

The proposed solution must provide the capability to easily create and maintain watch list for tracking and/or prioritizing of financial institutions

3.1.3.2

The proposed solution must be able to automate the collection, contextualization and analysis of externally available risk data to assess the financial institutions cyber hygiene and risk exposure levels;

3.1.3.3

The proposed solution must be capable to provide a dynamic external exposure rating for each defined financial institutions based on external risk threat or vulnerability information.

3.1.3.4

The proposed solution must be able to provide proactive tracking and remediation suggestions for all critical and high vulnerabilities identified

3.1.3.5

The proposed solution must ensure that the risk ratings for managed financial institutions is refreshed frequently, incorporating new information collected and updated tracking of security controls

3.1.3.6

The proposed solution must be able to provide local comparative benchmark rating of the cyber-risk landscape of the financial sector

3.1.3.7

The proposed solution is preferred to have the capability to provide automated predictive analysis from gathered information.

3.1.3.8 The proposed solution must allow BNM to incorporate customized thresholds, acceptance levels and rating benchmarks.

3.1.3.9

The proposed solution must be able to keep track of the FIs history, growth and comparison levels up to a period of twelve (12) months. The solution must also provide

RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL

68

exporting or archiving options to automatically or manually store post duration information and related charts, graphs and reports.

3.1.3.10

The proposed solution must provide the capability to perform entity attributions and risks analysis for the managed financial institutions

3.1.3.11

The proposed solution must have a consistent rating methodology where the rating efficacy and assessed criteria are transparent.

3.1.3.12

The proposed solution must be consistently updated to be able to effectively track cyber risk trends that post potential risks to the financial sector

3.1.3.13

The proposed solution must be able to provide continuous monitoring and analysis on external risk exposures via dynamic risk rating. This should comprehend the industry cyber risk situational awareness, provide actionable intelligence and recommendations for security controls.

3.1.3.14

The proposed solution must provide the

capability to apply custom tagging, labelling

or marking.

3.1.4 Visualization

3.1.4.1

The proposed solution must be capable to provide real-time fixed or customizable graph-based data representations and trending analysis.

3.1.4.2

The proposed solution must provide a user-friendly and intuitive dashboard functionality with charts, graphs and general comparative analysis information made available

3.1.4.3 The proposed solution must provide in-depth analysis / description for graphs/charts and related data representations.

3.1.4.4 The proposed solution must be able to display profile of the external state of cyber risk rating of each financial institution.

3.1.4.5

The proposed solution must be capable to provide real-time built-in benchmarking or peer comparative analysis functionality between local financial institutions with highlights of critical indicators/areas.

3.1.4.6

The proposed solution is preferred to have the capability to provide regional and global level benchmarking and comparisons for both individual financial institutions and the Malaysian financial sector.

3.1.4.7

The proposed solution must be able to provide timeline based (e.g. by week, by month, by quarter, by year) graphs/charts to keep track and compare historical data and FIs growth.

RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL

69

3.1.4.8

The proposed solution must use colour indicators or icons to help illuminate, visualize, prioritize and highlight risk levels via the rating structure.

3.1.4.9

The proposed solution is preferred to have the capability to provide customizable dashboard requirements or built-in widget options.

3.1.5 Performance

3.1.5.1

The proposed solution must have at least twelve (12) months of online retention of data analysis and reports which can be used by BNM to perform search and analysis functions.

3.1.5.2 The proposed solution must be designed for high availability and comprehensive backup

3.1.5.3

The proposed solution must provide search, sorting and filtering functionalities to allow for comparative analysis and filtering of relevant information. The functionality should support multiple criteria sets such as by keywords, sector, country, timeline and more which can be saved.

3.1.6 Security

3.1.6.1 The proposed solution must use secured HTTPS connection, encrypted with TLS 1.2 or latest secured version

3.1.6.2

The proposed solution’s portal must have a secure digital certificate that uses strong cryptography algorithms based on the industry standard.

3.1.6.3 The proposed solution must be periodically updated with the latest security and application/system updates.

3.1.6.4 The proposed solution must support user password management capabilities

3.1.6.5

The proposed solution must have secure encryption controls in place for all data provided by BNM that will be stored in the solution platform environment.

3.1.6.6 The proposed solution must be capable to support multi-factor authentication (MFA) for login functionality.

3.1.7 Notification and Sharing

3.1.7.1

The proposed solution must have the capability of displaying/sending notifications or alerts to BNM based on customizable pre-defined criteria’s such as, but not limited to, alerting high priority vulnerabilities, alerting when a financial institute drops below fixed rating threshold.

3.1.7.2

The proposed solution is preferred to have automated mechanisms to allow sharing of information between BNM and financial institutions as required.

3.1.7.3 The proposed solution is preferred to have the capability to sanitize or anonymize the

RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL

70

information as required for appropriate sharing by BNM

3.1.8 Reporting Requirements

3.1.8.1

The proposed solution must be capable of automatically generating various comprehensive and visually supplemented reports which can be seamlessly exported as required. These reports are preferred to be generated in the following formats such as PDF, Word, HTML and/or HTML.

3.1.8.2

The proposed solution must be able to automatically produce reports based on defined criteria’s and timeline’s (by week, by month, by quarter, by year). These reports must cover the intended objectives of the tools such as, but are not limited to,

Detailed individual FI profile rating and cyber-risk landscape reports;

Comparison and benchmarking reports; and

Observations and recommendations for security controls.

3.1.8.3

The proposed solution must be capable of generating both high level and detailed reports for individual financial institutions managed and for general industry comparison and peer benchmarking

3.1.8.4 The proposed solution is preferred to have the capability to support report customization capabilities.

3.1.9 Additional Requirements

3.1.9.1

The Tenderer must have processes to ensure secure data disposal for all data provided by BNM, at the end of service period or at the termination of service

3.1.9.2 The proposed solution is preferred to provide capabilities to act as a platform for tracking security compliance issues

3.1.9.3 The proposed solution is preferred to provide third/fourth party risk assessment and rating capabilities.

3.1.9.4

Upon tender award, the Tenderer must apply a methodological approach to ensure the implementation of the service is completed in the required timeline with quality and impactful results

Note: The Tenderer is required to complete the Compliance Matrix above. Please refer to the RFP for your reference and detail information.

RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL

71

APPENDIX E-1

Implementation of Cybersecurity Risk Rating Tool Cost Summary

Company: ____________________________ A. Implementation of Cybersecurity Risk Rating Tool

Note: The service agreement is for one (1) year initial subscription followed by yearly renewal, subject to performance evaluation by BNM. OPTIONAL B. Additional participating entities fee (based on entity number licensing model)

Note: Tenderer can leave this table blank if it offers a blanket costing model for the services; e.g. Tenderer charges a yearly lump-sum subscription fee regardless of the number of entities on boarded. *Please state minimum number of entities required to be on boarded.

RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL

72

OPTIONAL C. Additional participating entities fee (based on slot licensing model)

Note: Tenderer can leave this table blank if it offers a blanket costing model for the services; e.g. Tenderer charges a yearly lump-sum subscription fee regardless of the number of slots offered. *Please state minimum number of entities required to be on boarded.

Name

Designation

Signature

Date

Company Stamp

RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL

73

APPENDIX E-2

Implementation of Cybersecurity Risk Rating Tool Detailed Costing

(Breakdown in Cost) For 1st year subscription

The Tenderer shall provide detail information on the detailed breakdown cost of this project, where applicable in the table below. Name of company: <pls state your company name>

*Example: annual license, support services, training, additonal licenses and costs, … Note: The service agreement is for one (1) year initial subscription followed by yearly renewal, subject to performance evaluation by BNM.

RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL

74

For 2nd year subscription

*Example: annual license, support services, training, additonal licenses and costs, … Note: The service agreement is for one (1) year initial subscription followed by yearly renewal, subject to performance evaluation by BNM.

For 3rd year subscription

*Example: annual license, support services, training, additional licenses and costs, …

RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL

75

Note: The service agreement is for one (1) year initial subscription followed by yearly renewal, subject to performance evaluation by BNM.