Comparison of financial models - IPART and Australian Energy ...
Request for Proposal · The mandatory format of the proposal and its expected contents are as...
Transcript of Request for Proposal · The mandatory format of the proposal and its expected contents are as...
Request for Proposal
CYBERSECURITY RISK RATING TOOL
ISSUER Bank Negara Malaysia Jalan Dato’ Onn 50480 Kuala Lumpur ISSUE DATE : 13 March 2020 CLOSING RFP SUBMISSION : 27 March 2020, 3.00 pm
TABLE OF CONTENTS
PART A: RFP REQUIREMENTS ......................................................................... 4 1.0 Introduction ...................................................................................................4 2.0 Conditions of the Proposal ............................................................................4 3.0 Evaluation of Proposal ..................................................................................7 4.0 Submission of the Proposal ...........................................................................8 5.0 Closing Date and Validity Period of Proposal .............................................. 10 6.0 Liquidated Ascertained Damages (LAD) ..................................................... 11 7.0 Company Litigations .................................................................................... 11 8.0 Contact for Enquiries ................................................................................... 12
PART B: TECHNICAL AND BUSINESS REQUIREMENTS ...................................... 13 1.0 Introduction ................................................................................................. 13 2.0 Overview ..................................................................................................... 13 3.0 Technology and Service Requirements ....................................................... 15
PART C: CONTENT COVERAGE OF RESPONSE TO RFP REQUIREMENTS ............ 21 1.0 Format of Proposal ...................................................................................... 21
APPENDICES ................................................................................................. 22
APPENDICES Appendix A-1(i) Covering Letter for Proposal Submission
Appendix A-2 Undertaking of Confidentiality
Appendix A-3(i) Vendor Code of Conduct – Declaration of Interests
Appendix A-4(i) Company Profile and Experience
Appendix B-1 Notice of Personal Data Protection (PDPA)
Appendix B-2 Data Access or Correction Request Form
Appendix C Service Subscription Agreement
Appendix D Compliance with Tender Requirements
Appendix E-1 Cost Summary
Appendix E-2 Detailed Costing
PART A – RFP REQUIREMENTS
1.0 INTRODUCTION
1.1 Request for Proposal
1.1.1 Bank Negara Malaysia (BNM) is inviting Tenderers and/or its
consortium/solution partners (The Tenderer) to submit a
comprehensive proposal for the implementation of a
cybersecurity risk rating tool.
1.1.2 This document provides combination of broad requirements
and detailed specifications of the above purpose for The
Tenderer to submit a proposal for BNM’s evaluation and
consideration.
1.1.3 The Tenderer is requested to study this document and all its
references carefully before preparing the proposal and seek
clarifications from BNM should questions and concerns arise.
1.1.4 This tender document provides a detailed specification of the
services required. The Tenderer is expected to provide an
itemised quotation to facilitate BNM to select the required
services as necessary. Should there exist a discounted
package price for a group of services, it should be indicated
wherever applicable.
2.0 CONDITIONS OF THE PROPOSAL
2.1 General Conditions
2.1.1 The Tenderer must respond to the Request for Proposal (RFP)
on the basis that the Tenderer is deemed to have examined
and understood the contents of this RFP. The Tenderer must
also be deemed to accept and is bound by all the terms and
conditions specified in this RFP. Any limitations and
assumptions of responsibilities that The Tenderer wishes to
inform should be clearly stated.
2.1.2 Any non-compliance by The Tenderer with any requirement
stipulated in this RFP must entitle BNM, at its sole discretion, to
disqualify The Tenderer.
2.1.3 The specifications and contractual conditions contained in this
RFP define the basic functional, technical and contractual
requirements with regard to this request. Any amendment to
the specifications will be effected and notified to all Tenderers
by correspondence through letter or e-mail.
2.1.4 The Tenderer must have the necessary expertise or domain
knowledge to provide the required services in its entirety as
required by BNM.
2.1.5 The Tenderer is requested to submit proposal with
responses/information that supports how the proposed solution
would be able to meet and add value to BNM’s requirements.
2.1.6 The Tenderer must be solely responsible for any collaboration
with any solution partners (sub-contract). The Tenderer will be
the single point of contact with BNM and any arrangement or
agreement between the Tenderer and their partners is beyond
BNM’s responsibilities.
2.1.7 All costs incurred in the preparation and submission of the
proposal including any presentation to BNM and/or Proof-of-
Concept (POC) conducted, if any, must be borne solely by The
Tenderer.
2.1.8 The Tenderer must ensure that the prices quoted are accurate
before submitting their quotation. The Tenderer must be solely
responsible for any omissions and/or errors in their proposals,
without any additional cost to BNM. BNM will not entertain any
request for variation of price(s) or submission of additional
quote for items erroneously omitted in the original submission.
2.1.9 Any quotations submitted must be in Ringgit Malaysia (RM) and
must include any applicable tax, duty, charge and other
government taxes.
2.1.10 The Tenderer must be prepared to:
a) Provide detailed scope of services that needs to be
performed for BNM’s reference.
b) Provide details of relevant projects/services delivered
and implemented in the past 3 years for BNM’s
reference.
c) Allow BNM to conduct checks with The Tenderer’s
references, if deemed necessary, to assess The
Tenderer’s capability and support service.
d) Give a formal presentation of the proposal to BNM, if
requested.
e) Respond to any questions on the proposal and provide
additional information, when required by BNM.
2.1.11 BNM will retain the proposal and other related documents
submitted by The Tenderer, for the purpose of this proposal.
2.1.12 BNM reserves the right to amend the requirements and
conditions in this RFP in order to correct errors, rectify
omissions or discrepancies or to reflect any change in policy.
Any amendments to the specifications will be effected and
notified to all Tenderers through official letter or e-mail.
2.2 Statement of Confidentiality and Vendor Code of Conduct
2.2.1 This document is strictly confidential. Information contained in
this document must not be disclosed directly or indirectly to any
party except to its consortium or solution partners involved in
the preparation of the proposal or expressed otherwise in
writing by BNM.
2.2.2 The Tenderer is required to sign an Undertaking of
Confidentiality document as specified in Appendix A-2 which
outlines The Tenderer’s responsibility not to divulge any
information on this RFP document, to any third party except its
consortium or solution partners.
2.2.3 The Tenderer is advised to read the Vendor Code of Conduct
(VCOC) published by BNM on its website
(http://www.bnm.gov.my/documents/vendor_coc/vcoc_2017080
3.pdf) and duly submit completed declaration of interest
(Appendix A-3(i)).
2.2.4 In the event of any employee(s) of The Tenderer have a family
member working in BNM, it is strongly advised that the affected
employee(s) of The Tenderer would be recused from
participating in the tender bidding process and be declared as
per requirement of Section 2.2.3 above.
2.3 Conditions of The Agreement
2.3.1 The successful Tenderer must comply with the terms and
conditions in the BNM’s standard agreement as follows:
a) Service Subscription Agreement (Appendix C)
2.3.2 BNM will view favourable proposals from Tenderers that accept
the terms of BNM standard agreements in their entirety without
amendments.
2.3.3 In executing the Agreement, the successful Tenderer must
comply with the provisions of any statute, regulation, or by-laws
that are applicable to the work under the Agreement. The cost
and expenses involved must be deemed to have been included
in the prices quoted by the successful Tenderer.
2.3.4 The Tenderer must take note of the terms and conditions
relating to the attached draft agreement in the tender proposal.
The successful Tenderer must enter into an agreement with
BNM within 30 days from the acceptance date of Letter of
Award. Neither services must be rendered to BNM nor payment
must be payable to the successful Tenderer until the
agreement is executed.
3.0 EVALUATION OF PROPOSAL
3.1 The interpretation of the contents of the proposal by BNM must be final.
3.2 This RFP does not in itself constitute in any way a commitment of BNM
to any Tenderer. BNM reserves the right to select any proposal at its
own discretion and does not bind itself to accept the lowest-priced or
any proposal.
3.3 The Tenderer must submit the proposal for a complete solution to meet
all requirements as defined in the RFP. In addition, The Tenderer may
propose innovative and alternative solution that would be able to
integrate seamlessly with BNM’s new or existing systems, if they
consider that the alternatives provide a better solution for BNM.
3.4 A proposal that does not include response to all requirements may be
excluded at the sole discretion of BNM.
3.5 The evaluation of the proposal must be based on, but not limited to, the
following factors:
a) Compliance with all the conditions of the proposal;
b) Compliance with all the requirements in this document or any of
its referred documentation;
c) Comprehensiveness and level of detail of the proposal;
d) Compliance with the conditions of confidentiality;
e) Compliance with BNM’s contractual provisions and stipulations;
f) Tenderer’s capabilities, experiences, knowledge and expertise
in implementing and managing projects of similar nature in
terms of scope, size and complexity;
g) Completeness of the proposal and effectiveness of the
maintenance and support services in supporting BNM’s
objectives;
h) Detailed cost of the proposal including all miscellaneous cost, if
any;
i) Specify the breakdown of the upgrade services or license
renewal cost for each year, if any; and
j) Proven Tenderer’s track record in relevant domain
3.6 BNM is not obliged to accept a proposal in its entirety and may, at its
absolute discretion, opt to accept only parts of the proposal.
3.7 BNM is not obliged to give any reason for the acceptance or rejection of
any particular proposal.
4.0 SUBMISSION OF PROPOSAL
The mandatory format of the proposal and its expected contents are as
follows:
4.1 Part I: Cybersecurity Risk Rating Tool – Technical Proposal.
4.1.1 The response in Part I must not contain any pricing information
4.1.2 The response in Part I must cover the following content:
Format Content
Appendix A-1(i) Covering letter for proposal submission
Tenderer’s Format One-page executive summary of the
proposed solution / services
Appendix A-2 Undertaking of Confidentiality
Appendix A-3(i) VCOC & Declaration of Interest by Tenderer
Appendix A-4(i) Company Profile and Experience
Appendix B-1 Notice of Personal Data Protection (PDPA)
Appendix C Service Subscription Agreement
Appendix D Summary of your company’s level of
compliance with the RFP requirements
Tenderer’s Format
Proposal to meet the service requirements
must cover the areas identified in Part B of
this document
4.1 Part II: Cybersecurity Risk Rating Tool – Commercial Proposal.
4.2 The response in Part II must cover the following content:
4.2.1 Cost summary as per format Appendix E-1 (in A4 size on the 1st
page of your submission for Part II).
4.2.2 Detailed costing of the proposal as per format in Appendix E-2
must contain all necessary costing
4.3 The proposal must be submitted to BNM in hardcopy. All hardcopies
should contain original signatures and should be clearly identified and
labelled as ‘ORIGINAL’. The proposal must be prepared in two (2)
separate parts as follows:
Part Label Copies
Part I
Part I: Cybersecurity Risk Rating Tool (Technical Proposal)
Two (2) hardcopy and one (1) softcopy
Part II
Part II: Cybersecurity Risk Rating Tool (Commercial Proposal)
Two (2) hardcopy and one (1) softcopy
4.4 Part I and Part II must be duly completed, separately bound, and
sealed. The tenderer must indicate the Part number on the right hand
corner of the envelope of submission. The documents shall be
submitted in two (2) separate envelopes addressed, on the top left
hand-corner, to:
Pengarah
Jabatan Risiko dan Penyeliaan Teknologi
Bank Negara Malaysia
Jalan Dato’ Onn
50480 Kuala Lumpur
Both quotations is to be submitted in the tender box located at: Tender Box labelled (Quotation for Cybersecurity Risk Rating Tool) Ground Floor, Block C, Bank Negara Malaysia.
4.5 The total size, including the folder/cover must not exceed 28cm x
21cm x 5cm. A set of softcopy of the same documents stored in a flash
drive shall also be included in the envelope. Please ensure the flash
drive and the contents have been scanned and cleared from any
potential malware before submission.
4.6 (If applicable), in the quotation submission, please attach proof that the
company is an authorised partner or reseller for the solution
4.7 Proposals submitted by any other means (i.e. email, fax, telex,
telegram) will NOT be considered.
4.8 The completed proposal must be received by the stipulated RFP
submission closing date and time specified in item 5.1 of this RFP.
4.9 BNM reserves the right to accept or not accept subsequent revised
submissions by Tenderer provided that such subsequent submission is
received before the expiry of the closing date for submission of
proposal.
4.10 BNM may conduct briefing session for Tenderers on the RFP
requirements and timeline, at a time to be scheduled, if deemed
necessary by BNM.
4.11 The Tenderer will be required to provide a comprehensive technical
presentation of the proposed solution. The tenderer will also need to
undertake a POC of the proposed solution for BNM. The presentation
and the POC, if any, must be conducted by the key team members
responsible for the implementation of the tool.
4.12 Failure to submit the proposal in response to this RFP within the
stipulated closing date and time will be deemed as non-participation by
the Tenderer.
4.13 The Tenderer must comply with any request made by BNM for
additional information, for clarification purposes, after the closing date
of this RFP. The Tenderer must promptly comply with the request, as
no-response may be prejudicial to the Tenderer.
4.14 All cost incurred in the preparation of the proposal in response to this
RFP as well as presentation and POC to BNM, if any, must be borne
solely by the Tenderer.
4.15 Failure on the part of the Tenderer to comply with the requirements
specified herein must invalidate the Tenderer’s proposal.
4.16 Award of Tender
4.16.1 BNM reserves the right to award the project in part or in whole
to any Tenderer.
4.16.2 BNM reserves the right not to proceed with any part of the
project.
5.0 CLOSING DATE AND VALIDITY PERIOD OF PROPOSAL
5.1 The closing date and time for submitting the proposal is by 27 March
2020, 3.00 pm.
5.2 The proposal received after the closing date and time for submitting the
proposal must not be accepted by BNM. The Tenderer’s proof of
posting and/or submission by other means must not be accepted as
proof of receipt by BNM.
5.3 This document lapses in accordance with the proposal submission
closing date and time.
5.4 The Tenderer’s offer must be valid for a period of six (6) months
commencing from the closing date of this RFP. On expiry of the validity
of offer, the Tenderer must, if so requested by BNM, extend the validity
of offer for a period of three (3) months after the expiry date of the initial
six (6) months.
5.5 Any Tenderer withdrawing its proposal after it has been submitted and
opened by BNM will be blacklisted from participating in future RFPs, in
accordance with the BNM Vendor Code of Conduct and BNM
Procurement Policy.
5.6 Failure to submit the proposal in response to this RFP within the
stipulated closing date and time will be deemed as non-participation by
the Tenderer.
5.7 Upon award of this project to the successful Tenderer, the offered
prices must be firm throughout the contract period.
6.0 LIQUIDATED ASCERTAINED DAMAGES (LAD)
6.1 If the Tenderer fails to handover the project deliverables by the dates
specified in the implementation plan and the delay is beyond
reasonable doubt caused by the Tenderer, then the Tenderer must pay
liquidated ascertained damages (LAD) to BNM. The liquidated
damages must be the aggregate sum of one and a half percent (1.5%)
of the price for each week of such delay and pro-rated for parts of a
week up to a total maximum of twenty per cent (20%) of the price.
7.0 COMPANY LITIGATION
7.1 The Tenderer is to declare that there is no ongoing litigation of dispute
instituted against the companies and/or their directors. The Tenderer
must also list any indictments, convictions, censures, fines or ongoing
investigations by any government entity or agency against the Tenderer
or its related companies and/or its consortium/solution partners and any
other business or businesses owned in whole or in part by, or held in
common with, the Tenderer or any of their principals.
7.2 The Tenderer must list any indictments, convictions, censures, fines or
ongoing investigations by any government entity or agency against the
Tenderer or any parent companies and subsidiaries of the Tenderer (in
any part of the world) and any other business or businesses owned in
whole or in part by, or held in common with, the Tenderer (such entities
referred to hereinafter as “Affiliates”) or any of their principals.
7.3 The Tenderer must describe briefly any pending or past legal
proceedings or legal proceedings known to be contemplated, that (i)
relate to business activities, and (ii) to which the Tenderer or any
Affiliates, or any of their principals is a party or to which any of their
property is the subject. Include in such description the name of the
court or agency in which the proceedings are pending, the date
instituted and the principal parties thereto, a description of the alleged
factual basis underlying the proceeding and the relief sought. Likewise,
describe any judgement, order or determination by any court of
governmental authority to which the Tenderer or any Affiliates or any of
their principals is subject.
8.0 CONTACT FOR ENQUIRIES
8.1 The Tenderer are advised to study all terms and conditions, and
requirements carefully, make all necessary clarifications and conduct
investigations to better understand BNM’s environment and
requirements, before submitting the proposal.
8.2 The Tenderer seeking clarification must submit its queries, in writing,
via e-mail to [email protected] with the following e-mail
subject ‘Enquiry: Cybersecurity Risk Rating Tool:’. Any other mode of
queries will not be entertained by BNM.
8.3 BNM may conduct briefing session for Tenderers on the RFP
requirements and timeline, at a time to be scheduled, if deemed
necessary by BNM
Remaining page is blank
PART B – TECHNICAL & BUSINESS REQUIREMENTS
1.0 INTRODUCTION
1.1 Cybersecurity Risk Rating Tool
1.1.1 The Malaysian financial sector is progressively facing a steady
subservient shift and dependence in terms of technology to
deliver critical financial services. This has resulted in Bank
Negara Malaysia (BNM) to proactively delve into new initiatives
to supplement their cyber risk supervision process and
strengthen the Bank’s overall cyber surveillance infrastructure,
essentially enhancing the Bank’s grasp of the industry cyber
situational awareness.
1.1.2 In regards to this, BNM has decided to acquire an external
cyber risk rating tool to address the issues as below:
1.1.2.1 Lack of visibility particularly on the cyber-risk
footprint and situational awareness of the Malaysian
financial sector;
1.1.2.2 Challenge of establishing a dynamic approach to
proactively assess the external cyber risk ecosystem
and to measure the cyber rating levels of financial
institutions;
1.1.2.3 Lack of capability to proactively assess the level of
exposure of critical IT vulnerabilities and determining
the industry exposure level; and
1.1.3 In this regard, BNM is seeking proposal for this RFP to
implement a cybersecurity risk rating tool to automate the
collection and analysis of externally available risk data and
assess the financial institutions cyber hygiene and industry risk
exposure.
2.0 OVERVIEW
2.1 The cybersecurity risk rating tool is expected to serve the objectives
below, but not limited to:
2.1.1 Provide continuous visibility on potential external risks and
automatically calculate a dynamic cyber-risk rating for each
financial institution to develop a comparative benchmark of the
cyber risk landscape of the financial sector;
2.1.2 Commission a service that will be able to automatically collect,
analyse and present external risk indicators or information from
a wide range of source’s in real-time.
2.1.3 Provide a solution that applies various analytical techniques to
efficiently build risk profiles of the financial institutions based on
various context and metadata.
2.1.4 Enable an intelligence-led solution that is based on a consistent
rating methodology capable of presenting analysed intelligence
in a manageable and actionable way
2.2 The cybersecurity risk rating tool is to be delivered by the Tenderer to
BNM on a subscription based model. On subscription, BNM will be the
main stakeholder for the tool and will use the tool at its discretion
according to requirements.
2.3 The high-level scope of requirements of the tool includes, but is not
limited to:
2.3.1 Commission the risk rating tool as per BNM’s commercial and
technical requirements;
2.3.2 Provide seamless data importing or exporting/archiving
functionalities either automatically or manually as detailed in
3.1.2;
2.3.3 Provide continuous industry cyber-risk situational awareness
via dynamic rating, actionable information and
recommendations for security controls as detailed in 3.1.3.
2.3.4 Provide risk rating and analysed intelligence in an intuitive and
visual way with dashboards, comparative charting and graphing
capabilities as detailed in 3.1.4;
2.3.5 Provide a reliable analysis tool with search and filtering
functionalities as detailed in 3.1.5
2.3.6 Provide notification and sharing capabilities to allow information
and security control sharing between BNM and financial
institutions as detailed in 3.1.7
2.3.7 Provide a variety of automated report generation capabilities as
detailed in 3.1.8.
2.4 The service agreement is for one (1) year initial subscription followed
by yearly renewal, subject to performance evaluation by BNM.
3.0 TECHNOLOGY AND SERVICE REQUIREMENTS
3.1 Cybersecurity Risk Rating Tool Requirements
3.1.1 General
3.1.1.1 The proposed solution must be delivered on a
subscription model and may be integrated as
cloud-based components.
3.1.1.2 The proposed solution’s web interface must be
supported at minimum by prevailing browsers
such as Microsoft Internet Explorer, Microsoft
Edge, Google Chrome and Apple Safari.
Optionally, the proposed solution may also be
accessed via mobile application supported by
Apple iOS and Google Android.
3.1.1.3 The Tenderer must ensure that the proposed
service is secure and any data provided by
BNM are retained securely and confidentially.
3.1.1.4 The Tenderer must provide support and
maintenance throughout the contract period
(preferably by chat, email and 24/7 customer
call centre);
3.1.1.5 The Tenderer must be able to provide general
support and usability training for users as
required by BNM. All user manuals must also
be provided and updated if required.
3.1.1.6 All financial institutions data submitted by BNM
which are processed and analysed by the tool
are owned by BNM and respective financial
institutions.
3.1.1.7 All data as mentioned in 3.1.1.6 must not be
processed or used for any other purpose.
3.1.1.8 The proposed solution is required to be able to
retain at least twelve (12) months of online data
for analysis purposes and provide options for
exporting / archiving post duration data either
automatically or manually.
3.1.1.9 The proposed solution must be capable to
provide user activity log or user audit trail.
These logs and audit trail must be kept for a
minimum of twelve (12) months period.
3.1.2 Data Source and Exporting
3.1.2.1 The proposed solution must be able to
automatically collect and analyse external risk
indicators or information from a wide range of
sources such as, but not limited to, surface,
deep and dark web channels.
3.1.2.2 The proposed solution must be capable to
export/archive data in a variety of data
formats, either automatically or manually, all of
which can be configured through the user
interface (web portal), such as, but not limited
to:
API;
CSV;
PDF, Word, Txt; and
XML; Please cite if the solution can support format
other than mentioned above.
3.1.3 Rating Tool Requirements
3.1.3.1 The proposed solution must provide the
capability to easily create and maintain watch
list for tracking and/or prioritizing of financial
institutions.
3.1.3.2 The proposed solution must be able to
automate the collection, contextualization and
analysis of externally available risk data to
assess the financial institutions cyber hygiene
and risk exposure levels;
3.1.3.3 The proposed solution must be capable to
provide a dynamic external exposure rating for
each defined financial institutions based on
external risk threat or vulnerability information.
3.1.3.4 The proposed solution must be able to provide
proactive tracking and remediation suggestions
for all critical and high vulnerabilities identified.
3.1.3.5 The proposed solution must ensure that the
risk ratings for managed financial institutions is
refreshed frequently, incorporating new
information collected and updated tracking of
security controls.
3.1.3.6 The proposed solution must have the capability
to provide local and global level benchmarking
and comparisons for both individual financial
institutions and the Malaysian financial sector.
3.1.3.7 The proposed solution must allow BNM to
incorporate customized thresholds, acceptance
levels and rating benchmarks.
3.1.3.8 The proposed solution must be able to keep
track of the FIs history, growth and comparison
levels up to a period of twelve (12) months. The
solution must also provide exporting or
archiving options to automatically or manually
store post duration information and related
charts, graphs and reports.
3.1.3.9 The proposed solution must be consistently
updated to be able to effectively track cyber
risk trends of financial institutions, provide
actionable intelligence and recommendations
for security controls.
3.1.3.10 The proposed solution must be able to provide
continuous monitoring and analysis on external
risk exposures via dynamic risk rating.
3.1.3.11 The proposed solution must provide the
capability to apply custom tagging, labelling or
marking.
3.1.4 Visualization
3.1.4.1 The proposed solution must be capable to
provide real-time fixed or customizable graph-
based data representations and trending
analysis.
3.1.4.2 The proposed solution must provide a user-
friendly and intuitive dashboard functionality
with charts, graphs and general comparative
analysis information made available.
3.1.4.3 The proposed solution must provide in-depth
analysis / description for graphs/charts and
related data representations.
3.1.4.4 The proposed solution must be able to display
profile of the external state of cyber risk rating
of each financial institution.
3.1.4.5 The proposed solution must be capable to
provide real-time built-in benchmarking or peer
comparative analysis functionality between
financial institutions with highlights of critical
indicators/areas.
3.1.4.6 The proposed solution must be able to provide
timeline based (e.g. by week, by month, by
quarter, by year) graphs/charts to keep track
and compare historical data and financial
institutions growth.
3.1.4.7 The proposed solution must use colour
indicators or icons to help illuminate, visualize,
prioritize and highlight risk levels via the rating
structure.
3.1.5 Performance
3.1.5.1 The proposed solution must provide search,
sorting and filtering functionalities to allow for
comparative analysis and filtering of relevant
information. The functionality should support
multiple criteria sets such as by keywords,
sector, country, timeline and more which can
be saved.
3.1.6 Integrations
3.1.6.1 The proposed solution must be able to support
any integrations with other business
applications or tools through API. Please cite if
the solution can support other similar solutions.
3.1.6.2 The Tenderer must provide necessary
technical support for any integration via API as
requested by BNM.
3.1.7 Security
3.1.7.1 The proposed solution must use secured
HTTPS connection, encrypted with TLS 1.2 or
latest secured version
3.1.7.2 The proposed solution’s portal must have a
secure digital certificate that uses strong
cryptography algorithms based on the industry
standard.
3.1.7.3 The proposed solution must be periodically
updated with the latest security and
application/system updates.
3.1.7.4 The proposed solution must support user
password management capabilities.
3.1.7.5 The proposed solution must be capable to
support multi-factor authentication (MFA) for
login functionality.
3.1.7.6 The Tenderer must have processes to ensure
secure data disposal for all data provided by
BNM, at the end of service period or at the
termination of service.
3.1.8 Notification and Sharing
3.1.8.1 The proposed solution must have the capability
of displaying/sending notifications or alerts to
BNM based on customizable pre-defined
criteria’s such as, but not limited to, alerting
high priority vulnerabilities, alerting when a
financial institute drops below fixed rating
threshold.
3.1.9 Reporting Requirements
3.1.9.1 The proposed solution must be capable of
automatically generating various
comprehensive and visually supplemented
reports which can be seamlessly exported as
required. These reports are preferred to be
generated in the following formats such as
PDF, Word, HTML and/or HTML.
3.1.9.2 The proposed solution must be able to
automatically produce reports based on defined
criteria’s and timeline’s (by week, by month, by
quarter, by year). These reports must cover the
intended objectives of the tools such as, but
are not limited to,
Detailed individual FI profile rating and cyber-risk landscape reports;
Comparison and benchmarking reports; and
Observations and recommendations for security controls.
3.1.9.3 The proposed solution must be capable of
generating both high level and detailed reports
for individual financial institutions managed and
for general industry comparison and peer
benchmarking.
3.1.10 Optional Requirements
3.1.10.1 The proposed solution is preferred to have the
capability to provide automated predictive
analysis from gathered information.
3.1.10.2 The proposed solution is preferred to have the
capability to provide customizable dashboard
requirements or built-in widget options.
3.1.10.3 The proposed solution is preferred to have
automated mechanisms to allow sharing of
information between BNM and financial
institutions as required.
3.1.10.4 The proposed solution is preferred to have the
capability to sanitize or anonymize the
information as required for appropriate sharing
by BNM.
3.1.10.5 The proposed solution is preferred to have the
capability to support report customization
capabilities.
PART C – CONTENT COVERAGE OF RESPONSE TO RFP
REQUIREMENTS
1.0 FORMAT OF PROPOSAL
1.1 The Tenderer is invited to submit a comprehensive proposal of
Cybersecurity Risk Rating Tool service for BNM. The Tenderer is
advised to seek clarification to better understand BNM’s environment
and requirements before submitting the proposal.
1.2 The Tenderer is required to submit the Proposal in the format specified
in PART A – 4.0 Submission of Proposal.
Remaining page is blank
APPENDIX A-1(i) – Covering Letter
Format of letter to BNM on the Tenderer’s letterhead
Pengarah Jabatan Pakar Risiko dan Penyeliaan Teknologi 1C, Bank Negara Malaysia Jalan Dato’ Onn 50480 Kuala Lumpur
Dear Sir,
Subject: Response to Request for Proposal (RFP) for implementation of
Cybersecurity Risk Rating Tool
1. With reference to the RFP, we hereby enclose our offer for the
implementation of Cybersecurity Risk Rating Tool covering all the
business, technical and project requirements as mentioned in the RFP.
2. We acknowledge that we have read, understood and hereby agree to
accept all contents of the RFP.
3. We undertake to provide all the services prescribed in the contract to
be entered with BNM and comply within the timeframe specified therein
if BNM accepts our offer.
4. We confirm that our offer is made in compliance with the RFP and shall
remain valid for 6 months from the closing date of the RFP.
Yours faithfully,
(Name & Designation, Seal of the firm)
APPENDIX A-2
UNDERTAKING OF CONFIDENTIALITY Within the context of the tender to provide “Cybersecurity Risk Rating Tool”,
Company _____________________________ undertakes not to give, divulge
or reveal any information, data, drawings, specifications or documentation
whatsoever, relating to the business and affairs of BANK NEGARA MALAYSIA
to any parties AND HEREBY CONVENTS to take all necessary action to ensure
that this undertaking shall be binding upon all its employees, agents and
persons acting on its behalf pursuant to the said Project.
Signed : __________________ Signed : __________________ Name : __________________ Name : __________________ Designation : __________________ Designation : __________________ FOR AND ON BEHALF OF FOR AND BEHALF OF _____________________________ BANK NEGARA MALAYSIA Below / Attached is a list of employees, agents or persons acting on behalf of Company _____________________________ involved in the project who shall abide by the above.
Name NRIC Designation Signature
APPENDIX A-3(i)
BANK NEGARA MALAYSIA
CENTRAL BANK OF MALAYSIA
Declaration of Interests by Vendor / Contractor / Service Provider Company/ Vendor Name : ___________________________________ Type of contract/services tendered : ___________________________________ I, _____________________________ (full name) the undersigned, representative of ____________________________________ (full name of the tenderer) submitting a tender in respect of call for tender _________________________________ (name of tender), hereby undertake that:
Our shareholders / directors / staff holding key management function and their close family members* do not have any relationship with any personnel including, Key Management Personnel** of Bank Negara Malaysia.
The following shareholders / directors / staff holding key management function of (full name of the tenderer)_________________________ has a relationship with a personnel of the Bank and their close family member*, including Key
Management Personnel** of Bank Negara Malaysia, by virtue of their close family members’ position. Details are provided below:
*Close Family Member refers to spouse, children and their spouses, parents, in-law, siblings, sibling's spouse and their children
** Key Management Personnel is defined as members of the Board of Directors, Governor, Deputy Governors, Assistant Governors and equivalent and Directors / Heads of Departments.
I hereby declare that I have carefully read and completed this form myself and provided current and accurate information to the best of my knowledge.
Signatory
Name of Signatory
Position in the Tenderer’s Company
Date:
If the tenderer is related to Key Management Personnel of the Bank, a copy of this form shall be submitted to the Board Secretariat Unit.
Confirmation of receipt by:
Name & Signatory
Department
Board Secretariat Unit
Date:
Confirmation of receipt by:
FOR OFFICIAL USE ONLY (FORM TO BE FORWARDED TO JABATAN MODAL INSAN STRATEGIK)
Signatory
Name
Date
APPENDIX A-4(i)
Cybersecurity Risk Rating Tool
Company’s Background The Tenderer shall submit and complete the following form.
1.0 Company Background
1.1 Name
1.2 Address
1.3 Telephone No. : Fax No.
1.4 Branch Name
and Address
1.5 Type of Company {Please cross ( X ), where applicable}
1.5.1 Sole Proprietor
1.5.2 Partnership
1.5.3 Private Limited
1.5.4 Others
(Please specify)
1.6 Place of Incorporation :
1.7 Certificate of Registration No. :
1.8 Year of Registration :
1.9 Income Tax No. :
1.10 Areas of Business :
1.11 Major Product / Services :
CONFIDENTIAL
CONFIDENTIAL
Cybersecurity Risk Rating Tool
List of Customers with Similar Setup/Support for the Last Three [3] Years General:
Note: 1Sector= banking, automotive, etc.
Example:
CONFIDENTIAL
Page 28 of 75 CONFIDENTIAL
APPENDIX B-1
PERSONAL DATA PROTECTION NOTICE TO VENDORS / PROVIDERS OF GOODS/SERVICES
Purpose of notice
1. This notice is issued pursuant to the requirements under the Personal Data Protection Act 2010 (PDPA) to all individuals who are vendors/providers of goods/services or the individual employees of the vendors/providers of goods/services – (i) engaged by Bank Negara Malaysia (BNM); or (ii) who submits any RFI/tender/proposal to BNM for such purpose,
(referred to as “vendors”). Tujuan Notis 1. Notis ini dikeluarkan selaras dengan keperluan-keperluan Akta Perlindungan Data
Peribadi 2010 (APDP) kepada semua individu yang menjual/ membekal barangan/perkhidmatan atau pekerja penjual/pembekal barangan/perkhidmatan yang – (i) dilantik oleh Bank Negara Malaysia (BNM); atau (ii) menghantar apa-apa RFI/tender/tawaran untuk tujuan tersebut
(dirujuk sebagai “pembekal”). Processing of personal data 2. During the course of its dealings with you, BNM processes personal data of the
vendors which include, but is not limited to, your name, IC number, address and other contact details.
Pemprosesan Data Peribadi 2. Sepanjang tempoh urusan BNM dengan anda, BNM data peribadi pembekal,
termasuk, tetapi tidak terhad kepada, nama, nombor kad pengenalan, alamat dan maklumat hubungan lain.
Purpose of processing personal data 3. The personal data is collected for, amongst others, the following purposes:
(a) assessing your suitability to be awarded the contract for which you have applied; (b) enforcing the rights and obligations in the contracts, including but not limited to,
making payments for the goods/services and maintaining the list of key personnel who will be responsible to carry out the rights and obligations of the vendors under the contracts;
(c) providing access to BNM’s premises; and (d) complying with any legal or regulatory requirements, including but not limited to,
compliance with the withholding tax requirements, or as permitted by law or authorised by any order of court.
Tujuan Pemprosesan Data Peribadi 3. Data peribadi dikumpul bagi, antara lain, tujuan-tujuan berikut:
CONFIDENTIAL
Page 29 of 75 CONFIDENTIAL
(a) menilai kesesuaian anda mendapat kontrak yang telah anda pohon; (b) melaksanakan hak-hak dan obligasi dalam kontrak-kontrak, termasuk tetapi tidak
terhad kepada, membuat pembayaran untuk barangan/ perkhidmatan dan menyimpan senarai kakitangan utama yang akan bertanggungjawab untuk menjalankan hak dan obligasi pembekal menurut kontrak-kontrak tersebut;
(c) memberi akses kepada premis BNM; dan (d) mematuhi mana-mana keperluan undang-undang peraturan, termasuk tetapi tidak
terhad kepada pematuhan terhadap keperluan cukai pegangan, atau seperti yang dibenarkan oleh undang-undang atau diberi kuasa oleh perintah mahkamah.
Disclosure of personal data 4. The personal data held by us shall be kept confidential. However, in order to
exercise our rights and obligations under the contracts or to evaluate your RFI/tender/proposal to BNM, we may disclose your personal data to: Departments within BNM;
Financial institutions;
Other parties authorised by you;
Regulatory and governmental agencies as permitted or required by law, authorised by any order of court or to meet obligations to regulatory authorities.
Pendedahan Data Peribadi
4. Data peribadi yang disimpan oleh BNM akan disimpan secara sulit. Walau
bagaimanapun, bagi melaksanakan hak-hak dan obligasi di bawak kontrak atau untuk
menilai RFI/tender/cadangan anda kepada BNM, BNM mungkin akan mendedahkan
data peribadi anda kepada:
Jabatan-jabatan di dalam BNM;
Institusi kewangan;
Pihak lain yang anda benarkan;
Agensi penguatkuasa dan kerajaan sepertimana yang dibenarkan atau dikehendaki oleh undang-undang, dibenarkan oleh mana-mana perintah mahkamah atau untuk memenuhi obligasi kepada mana-mana pihak penguatkuasa.
Protection of personal data 5. The security of your personal data is ensured by BNM as we shall take all
physical, technical and organisational measures needed to ensure the security and confidentiality of your personal data. If we disclose any of your personal data to any entities, we will require them to appropriately safeguard the personal data provided to them.
Perlindungan data peribadi 5. Keselamatan data peribadi anda adalah dijamin oleh BNM kerana kami akan
mengambil semua langkah fizikal, teknikal dan organisasi yang diperlukan bagi memastikan keselamatan dan kerahsiaan data peribadi anda. Sekiranya kami mendedahkan data peribadi anda kepada mana-mana pihak, kami akan memastikan bahawa pihak tersebut mengambil langkah yang sepatutnya bagi memastikan keselamatan data peribadi yang diberi kepada mereka.
Retention of personal data
CONFIDENTIAL
Page 30 of 75 CONFIDENTIAL
6. It is BNM’s policy to destroy personal data of the vendors within 7 years after the contract has been awarded or after the conclusion of the contract, whichever is applicable.
Penyimpanan data peribadi 6. Ianya merupakan polisi BNM untuk memusnahkan data peribadi pembekal
dalam tempoh 7 tahun selepas kontrak telah diberi atau selepas kontrak telah selesai, di mana ia terpakai.
Access of personal data 7. Under the PDPA, you have the right to access your personal data to ensure that
the personal data we hold about you is accurate, complete, not misleading and up-to-date. If you wish to exercise such rights and request access to your personal data, please contact us by completing our “Personal Data Access/Correction Request Form” (Appendix B-2) and forwarding it to (via e-mail): [email protected]
Akses kepada data peribadi 7. Di bawah PDPA, anda mempunyai hak untuk mengakses data peribadi anda
untuk memastikan data yang kami simpan mengenai anda adalah tepat, lengkap, tidak menyeleweng dan terkini. Jika anda ingin menggunakan hak tersebut dan memohon akses kepada data peribadi anda, sila hubungi kami dengan mengisi “Borang Akses/Pembetulan Data Peribadi” (Appendix B-2) dan hantarkan ke (melalui e-mail): [email protected]
Kindly sign and acknowledge the Notice that you have read and understood the Notice and you consent to the processing of your personal data by BNM. Sila tandatangan dan maklumkan kepada kami penerimaan Notis ini bagi menyatakan bahawa anda telah membaca dan memahami Notis ini dan anda membenarkan pemprosesan data peribadi anda oleh pihak BNM.
To : Bank Negara Malaysia
I hereby acknowledge that I have read and understood this Personal Data Protection Notice and by signing this, I consent to the processing of my personal data by BNM in accordance with the terms of this notice.
Saya dengan ini mengakui yang saya telah membaca dan memahami Notis Perlindungan Data Peribadi ini dan dengan menandatangani dokumen ini saya membenarkan pemprosesan data peribadi saya oleh BNM berdasarkan syarat-syarat di dalam Notis ini.
-------------------------
Name / Nama :
I/C No :
Date/ Tarikh :
CONFIDENTIAL
Page 31 of 75 CONFIDENTIAL
_________________________
Details to include designation of contact person, phone no, fax no, email address
CONFIDENTIAL
Page 32 of 75 CONFIDENTIAL
APPENDIX B-2
Personal Data Access/Correction Request Form
NAME
IC NO/STAFF ID TEL. NO/EXT. NO
EMAIL ADD.
TYPE OF REQUEST &
TYPE OF PERSONAL DATA
REASON
- I hereby request to access/correct my personal data that is being processed by *
............................………………………………………………………………………………………………………………
(hereinafter ‘the data user’).
- I confirm that the details above are correct and acknowledge that should there be any
incorrect or incomplete information or any circumstances provided under section 32 of the
Personal Data Protection Act 2010, the data user may refuse to give me access to my
personal data.
- I also acknowledge that if the data user, for whatever reason, is unable to comply with this
request within 21 days from today, they would notify me in writing, explaining the reasons,
before the 21 days has lapsed.
- I confirm that all correction that I would make to my personal data, if any, is correct and
up-to-date.
SIGNATURE
DATE
* Please fill in the name of the department that processes the personal data.
………………………………………………………………………………………………………………………………………………
……………
To be filled in by the data user as an acknowledgment of receipt:
NAME
CONFIDENTIAL
Page 33 of 75 CONFIDENTIAL
STAFF ID EXT. NO
SIGNATURE
DATE
Borang Permohonan Akses/Pembetulan Data Peribadi
NAMA
NO KP/ID STAF NO TEL/NO SAMB.
ALAMAT EMEL
JENIS PERMOHONAN &
JENIS DATA PERIBADI
TUJUAN
- Saya dengan ini ingin memohon akses/membuat pembetulan kepada data peribadi saya
yang sedang diproses oleh *
..............................………………………………………………………………………………….
…………………………………………………………………. (yang mana selepas ini disebut sebagai
‘pengguna data’).
- Saya mengesahkan bahawa maklumat-maklumat di atas adalah benar dan mengambil
maklum bahasa pengguna data berhak untuk tidak memberikan akses data peribadi saya
kepada saya sekiranya maklumat di atas mengandungi sebarang kesilapan ataupun tidak
lengkap atau terdapat mana-mana keadaan seperti yang diperuntukkan di bawah seksyen
32 Akta Perlindungan Data Peribadi 2010.
- Saya juga jelas bahawa, sekiranya permohonan ini gagal, oleh apa-apa sebab sekalipun,
pengguna data akan memaklumkan kepada saya secara bertulis dalam masa 21 hari
bermula daripada hari ini untuk menerangkan sebab-sebab permohonan saya ditolak.
- Saya mengesahkan bahawa semua pembetulan yang akan saya lakukan terhadap data
peribadi saya, jika ada, adalah betul dan terkini.
TANDATANGAN
TARIKH
* Sila nyatakan nama jabatan yang memproses data peribadi anda.
………………………………………………………………………………………………………………………………………………
……………
CONFIDENTIAL
Page 34 of 75 CONFIDENTIAL
Untuk diisikan oleh pengguna data sebagai bukti penerimaan:
NAMA
ID STAF NO SAMB.
TANDATANGAN
TARIKH
CONFIDENTIAL
Page 35 of 75 CONFIDENTIAL
DATED THIS DAY X OF [MONTH] 2020
SUBSCRIPTION AGREEMENT FOR
Cybersecurity Risk Rating Tool
BETWEEN
BANK NEGARA MALAYSIA
AND
[insert company name]
(Company No.:XX)
APPENDIX C
CONFIDENTIAL
Page 36 of 75 CONFIDENTIAL
THIS AGREEMENT is made this XX of XX 2020
BETWEEN
BANK NEGARA MALAYSIA, a body corporate which continues to exist under the
Central Bank of Malaysia Act 2009, with its head office at Jalan Dato' Onn, 50480
Kuala Lumpur (hereinafter referred to as “BNM”) of the one part;
AND
[insert company name] (Company No.:XX), a company incorporated or deemed to
be incorporated under the Companies Act 2016, with its registered office at [please
insert address] (hereinafter referred to as “the Company”) of the other part.
BNM and the Company shall be hereinafter referred to collectively as “the Parties” and
individually as “the Party”.
WHEREAS
BNM is desirous of subscribing to the Company’s Products and Services, hereinafter
defined, to establish a Cybersecurity Risk Rating Tool, and the Company agrees to
provide the Products and Services subject to the terms and conditions stipulated
below.
IT IS HEREBY AGREED BETWEEN THE PARTIES AS FOLLOWS:
1. DEFINITION AND INTERPRETATIONS
1.1 Definitions
In this Agreement, unless the context otherwise requires:
(a) “Authorised Representative” means the personnel of BNM or the
Company who is responsible to give effect to this Agreement as set out
in Schedule A;
(b) “Authorised User(s)” means full or part-time employees of BNM and
BNM’s contractors who are required to access the Product by BNM;
(c) “Commencement Date” means the XX day of XX 2020;
CONFIDENTIAL
Page 37 of 75 CONFIDENTIAL
(d) “Location” refers to locations which access of the Product is restricted
to, including all of BNM’s premises and other locations mutually agreed
to by the Parties in writing.
(e) “Manuals” means the manuals, documentation, user instructions,
technical literature and all other related materials in eye-readable form
supplied to BNM by the Company for use of the Product, if any;
(f) “Price” means the total price payable by BNM to the Company under
this Agreement as set out in Schedule B;
(g) “Product(s)” means all information (including without limitation data,
documents, reports, and standards) and technologies provided by the
Company to BNM as specified in Schedule C; and
(h) “Services” means the services provided by the Company to BNM as
specified in Schedule C.
1.2 Interpretations
In this Agreement, unless the context requires otherwise, the following rules of
interpretation shall apply:
(a) Subject to clause 5, any reference to “Agreement” shall include this
Agreement, schedules and any supplementary agreements or, in the
case where this Agreement has been amended, varied or novated by
the Parties from time to time, such amended, varied or novated
agreement;
(b) Any reference to any statutory provision includes a reference to any
modification, extension or re-enactment thereof (whether, made before
or after the date thereof) for the time being in force and also includes a
reference to all by-laws, instruments, orders and regulations for the time
being made thereunder or deriving therefrom;
(c) Any reference to “law” includes the Federal Constitution, decree,
judgment, legislation, order, ordinance, regulation, statute, treaty, by-
law, governmental directions, orders or guidelines or other legislative
measure in Malaysia;
(d) References to the singular number shall include references to the plural
number and vice versa;
CONFIDENTIAL
Page 38 of 75 CONFIDENTIAL
(e) Words denoting one gender include the other gender;
(f) Words denoting persons include corporations and vice versa and also
include their respective heirs, personal representatives, successors in
title or permitted assigns as the case may be;
(g) Where a word or phrase is given a defined meaning in this Agreement,
any other part of speech or other grammatical form in respect of such
word or phrase has a corresponding meaning;
(h) Any reference to “writing”, or cognate expressions, includes any
communication effected by prepaid registered post, electronic mail or
facsimile transmission; and
(i) Anything required by this Agreement to be done on a day which is a
Saturday, Sunday or public holiday shall be done and be valid if done on
the next succeeding day which is not such a day.
2. HEADINGS
2.1 The headings and sub-headings in this Agreement are inserted merely for
convenience of reference and shall be ignored in the interpretation and
construction of any of the provisions contained herein.
3. LANGUAGE
3.1 English is the governing language of this Agreement and shall prevail over any
translation that shall be made in this Agreement. All correspondences, notices
or other documents, drawings and diagrams required or permitted hereunder
shall be drawn up and annotated in English unless otherwise agreed by the
Parties.
4. RECITALS
4.1 The recitals of this Agreement shall have effect and be construed as an integral
part of this Agreement, but in the event of any conflict or discrepancy between
any of the provisions of this Agreement and the recitals, such conflict or
discrepancy shall, for the purposes of the interpretation and enforcement of this
Agreement, be resolved by giving the provisions contained in the clauses of this
Agreement priority and precedence over the provisions contained in the recitals
of this Agreement.
CONFIDENTIAL
Page 39 of 75 CONFIDENTIAL
5. SCHEDULES
5.1 The schedules to this Agreement shall have effect and be construed as an
integral part of this Agreement, but in the event of any conflict or discrepancy
between any of the provisions of this Agreement and the schedules, such
conflict or discrepancy shall for the purposes of the interpretation and
enforcement of this Agreement, be resolved by giving the provisions contained
in the clauses of the schedules priority and precedence over the provisions
contained in this Agreement.
6. DURATION OF THE AGREEMENT
6.1 The Parties to this Agreement shall continue to perform their respective duties
and obligations under this Agreement from the Commencement Date until
[day] [month] 2021 unless the duration is extended by mutual agreement of
the Parties or terminated earlier by either Party in accordance with the terms of
this Agreement or under the law.
6.2 The duration of this Agreement may be extended for a further period by mutual
consent of the Parties subject to performance evaluation of the Services to the
satisfaction of BNM and such extension shall be given effect by way of
exchange of letters duly signed by the Authorised Representatives at least one
(1) month prior to the expiry date of this Agreement. The extension of this
Agreement shall be effective from the date as specified in the letters.
7. REPRESENTATIONS AND WARRANTIES
7.1 The Company hereby represents and warrants to BNM that:
(a) it is a corporation validly existing under the laws of Malaysia;
(b) it has the corporate power to enter into and perform its obligations under
this Agreement and to carry out the Services and to carry on its business
as contemplated by this Agreement;
(c) it has taken all necessary corporate actions to authorise its signatory and
witness stated herein to execute this Agreement on its behalf to bind it
to enter into and perform this Agreement and to carry out the
transactions contemplated by this Agreement;
(d) as at the date of this Agreement, neither the execution nor performance
by the Company of this Agreement nor any transactions contemplated
by this Agreement shall violate in any respect any provision of:
CONFIDENTIAL
Page 40 of 75 CONFIDENTIAL
(i) its Constitution; or
(ii) any other document or agreement which is binding upon it or its
assets;
(e) to the best of its knowledge no litigation, arbitration, tax claim, dispute or
administrative proceeding is presently current or pending or, to its
knowledge, threatened, which is likely to have a material adverse effect
upon it or its ability to perform its financial or other obligations under this
Agreement;
(f) this Agreement constitutes a legal, valid and binding obligation of the
Company and is enforceable in accordance with its terms and
conditions;
(g) it has fulfilled all requirements under the law to undertake and to provide
the Services, including obtaining the relevant licenses or permits which
shall be valid throughout the period of this Agreement;
(h) it has the necessary financial and technical capabilities to undertake the
Services; and
(i) it shall provide the Services in good faith and meet the highest
professional standards,
and the Company acknowledges that BNM has entered into this Agreement in
reliance of its representations and warranties as aforesaid.
8. PRICE AND MANNER OF PAYMENT
8.1 BNM shall pay the Company the Price in the manner set out in Schedule B as
a consideration for the Company’s performance of the Services and other
obligations in accordance with this Agreement.
8.2 The Price shall be inclusive of any tax, duty or charge which is imposed by the
Government of Malaysia pursuant to Malaysian law from the Commencement
Date in respect of this Agreement.
8.3 BNM shall pay the Price to the Company within thirty (30) days from the date
of receipt of an invoice provided that –
(a) the invoice complies and contains all particulars required under the
Malaysian law including the following particulars:
CONFIDENTIAL
Page 41 of 75 CONFIDENTIAL
(i) the invoice serial number;
(ii) the date of the invoice;
(iii) the name, address and identification number of the Company;
(iv) the name and address of BNM;
(v) a description sufficient to identify the Services supplied which shall
be distinguished based on the type of Services, extent of the
Services and the amount payable excluding service tax;
(vi) any discount offered;
(vii) the total amount payable for the Services excluding sales or service
tax, the rate of sales or service tax and the total sales or service tax
chargeable shown as a separate amount or total amount payable
inclusive of total of sales or service tax chargeable;
(viii) the equivalent value in Ringgit of any amount at the selling rate of
exchange prevailing in Malaysia at the time of sale of the Services,
if expressed in a currency other than Ringgit;
(b) if the Services supplied under this Agreement are subject to the Sales
Tax under the Sales Tax Act 2018 or the Service Tax under the Service
Tax Act 2018, the Company shall furnish to BNM a proof of registration
as a taxable person under the relevant Act; and
(c) the Services supplied or any part of thereof are in accordance with this
Agreement.
8.4. BNM shall not bear any withholding tax, other taxes, duties or charges which
may be levied by the Government of Malaysia, where applicable, on the
Company.
8.5. The Company shall, upon prior agreement in writing by the Parties, provide
additional services which are not deemed as part of the Services (hereinafter
referred to as “Additional Services”) and shall be paid an additional price
(hereinafter referred to as “Additional Price”) in accordance with clause 8. The
Additional Price shall be mutually agreed in writing by the Parties prior to the
commencement of the Additional Services.
9. INFORMATION AND COORDINATION
9.1 The Company shall furnish BNM with such information relating to the Services
as BNM may from time to time reasonably request, and shall take all steps
necessary to clarify and confirm such information with BNM for the purposes of
the Services.
9.2 BNM shall furnish the Company with any information which the Company may
reasonably require from time to time to enable the Company to proceed with
the performance of this Agreement.
CONFIDENTIAL
Page 42 of 75 CONFIDENTIAL
10. LIABILITY
10.1 The Company shall not be liable to BNM for any loss or damage whatsoever
or howsoever caused arising in connection with this Agreement other than as
imposed by law.
11. RESTRICTION ON USE OF NAME AND MATERIALS
11.1 The Company shall neither use nor refer to BNM's name or logo, or in any other
manner in respect of this Agreement, without the prior written consent of BNM:-
(a) in the press;
(b) for advertising or promotional purposes; or
(c) to inform or influence any third party.
11.2 The Company agrees not to disclose to any third party that it has been retained
by BNM to provide the Services, unless the information is otherwise already
publicly available or as required under the law.
12. CONFIDENTIALITY
12.1 Each Party hereto undertakes to keep absolutely confidential all information,
specifications or documentation whatsoever concerning the business and
affairs of the other, obtained or received as a result of the discussions leading
to or during the execution or enforcement of this Agreement. The Parties'
obligation of confidentiality shall not apply to information which is:-
(a) already in the possession of each Party other than as a result of a breach
of this clause; or
(b) in the public domain other than as a result of a breach of this clause.
12.2 Each Party undertakes to the other to ensure that its employees, personnel,
agents or sub-contractors comply with the provisions of this clause.
12.3 Disclosure of confidential information pursuant to or under compulsion of a valid
order of a court of law or under the requirement of law is not prohibited; provided
that the Party making the disclosure pursuant to the court order or the
requirement of the law shall first have given notice, to the other Party whose
confidential information is required to be disclosed.
12.4 The foregoing obligations concerning confidentiality shall survive the
termination of this Agreement.
CONFIDENTIAL
Page 43 of 75 CONFIDENTIAL
13. SUB-CONTRACTS
13.1 The Company shall not, without the prior written consent of BNM, enter into any
sub-contract with any person for the performance of a material part of this
Agreement.
13.2 The Company shall not be relieved from any of its obligations hereunder by
entering into any sub-contract for the performance of any part of this
Agreement. If requested by BNM, and without disclosing any sensitive
commercial information, the Company shall promptly provide BNM with copies
of any sub-contracts.
14. ASSIGNMENT
14.1 Neither Party shall assign nor otherwise transfer this Agreement or any of its
rights and obligations hereunder whether in whole or in part without the prior
written consent of the other Party.
15. TIME
15.1 Time shall be the essence of this Agreement.
16. WHISTLEBLOWING
16.1 The Company shall as soon as possible, in writing or orally, inform any of the
designated persons of BNM listed in clause 16.5.1, upon having knowledge of
any member of Board of Directors, officer or employee of BNM, directly or
indirectly, asking for or receiving, any Gratification whether for his own personal
benefit or advantage or for the benefit or advantage of any other person, in
relation to this Agreement, whether before, during or after the term of this
Agreement.
16.2 The Company undertakes that neither it nor its Affiliate nor anyone acting on its
behalf shall, whether before, during or after the term of this Agreement, directly
or indirectly, give or offer, or agree to give or offer, any Gratification as an
inducement or reward to any member of Board of Directors, officer or employee
of BNM or any other person, for doing or forbearing from doing or for having
done or forborne from doing any act, or for showing or forbearing from showing
favour or disfavour to any person, in relation to this Agreement.
16.3 In the event BNM is satisfied that the Company, its Affiliate or anyone acting on
its behalf is in breach of clause 16.1 or 16.2, BNM may terminate this
Agreement (without prejudice to BNM’s other rights and remedies under the
law) by giving a prior written notice of one (1) day to the Company. Upon such
CONFIDENTIAL
Page 44 of 75 CONFIDENTIAL
termination, BNM shall be entitled to claim all losses, costs, damages and
expenses including any incidental costs and expenses incurred by BNM arising
from such termination. The Company shall not be entitled to recover from BNM
any loss or damages sustained or incurred by the Company as a consequence
of such termination.
16.4 Notwithstanding any other provision in this Agreement but subject to any written
law, BNM shall keep confidential any information disclosed or received under
clause 16 including the identity of the person giving such information and all the
circumstances relating to such information.
16.5 For purposes of clause 16:
16.5.1 The designated persons of BNM are as follows:
(a) Governor, if the information relates to -
(i) any member of BNM’s Board of Directors including Deputy
Governor;
(ii) Assistant Governor;
(iii) General Counsel; or
(iv) Director of LINK and BNM Offices;
(b) Chairman of Board Risk Committee, if the information relates to
Governor; and
(c) General Counsel or Director of LINK and BNM Offices, if the
information relates to any officer or employee of BNM other than
those identified under (a) above.
16.5.2 ‘Affiliate’ means in relation to the Company, any person or entity
controlled directly or indirectly by the Company, or any person or entity that
controls directly or indirectly the Company in any way whatsoever.
16.5.3 ‘Gratification’ includes any gift, money, property or thing of value, or any
service, favour or other intangible benefit or consideration of any kind, or any
other similar advantage.”
17. NOTICES
17.1 All notices which are required to be given hereunder shall be in writing and shall
be sent to the address of the recipient as set out in Schedule A or such other
address in Malaysia as the recipient may designate by notice given in
accordance with the provisions of this clause.
17.2 Any notice given in conformity with the foregoing sub-clause shall be deemed
to have been given at any of the following times as may be appropriate:
CONFIDENTIAL
Page 45 of 75 CONFIDENTIAL
(a) when it is delivered by hand at the time when it is so delivered on a
working day;
(b) when it is sent by prepaid registered post on the second working day
following that on which the notice was put into the post; and
(c) when the notice is sent by electronic mail or facsimile, on the first working
day after it was sent.
18. VARIATION
18.1 It is hereby expressly agreed and declared by the Parties hereto that
notwithstanding any of the provisions of this Agreement to the contrary, the
provisions and terms of this Agreement may at any time and from time to time
be varied or amended by mutual consent of the Parties hereto by means of a
mutual exchange of letters signed by the Authorised Representative of each
Party. Such amendments and variations shall be deemed to become effective
and the relevant provisions of this Agreement shall be deemed to have been
amended or varied accordingly and shall be read and construed as if such
amendments and variations have been incorporated therein as from the date
specified in the exchange of letters.
19. GOVERNING LAW
19.1 This Agreement shall be governed by and construed in accordance with the
laws of Malaysia.
20. SETTLEMENT OF DISPUTES
20.1 The Parties shall, in good faith, attempt to settle amicably and mutually, any
disputes or conflicts arising from this Agreement.
20.2 All disputes, conflicts or differences arising between the Parties from this
Agreement, or breach, termination or illegality thereof, which cannot be
resolved by the Parties within a period of fourteen (14) days under clause 20.1,
shall be finally settled by arbitration in accordance with the manner and rules
stipulated in clause 21.
20.3 The Parties’ performance of obligations under this Agreement shall neither
cease during any arbitration proceedings nor shall the Parties be released from
any obligations hereunder by the institution of any arbitration proceedings.
21. ARBITRATION
21.1 Any unresolved dispute controversy or claim between BNM and the Company
shall be referred to and finally resolved by arbitration in Malaysia by an arbitrator
CONFIDENTIAL
Page 46 of 75 CONFIDENTIAL
to be agreed upon between the Parties or, failing agreement within fourteen
(14) days after either Party has given to the other a written request to agree to
the appointment of an arbitrator, a person to be nominated by the Director of
the Asian International Arbitration Centre at the request of either Party. The
arbitration shall be in accordance with the Arbitration Act 2005 and the
Arbitration Rules for Asian International Arbitration Centre for the time being in
force which rules are deemed to be incorporated by reference into this clause.
21.2 The arbitration award shall be final and binding on the Parties and judgment
upon the award entered in arbitration may be entered in any court of competent
jurisdiction.”
22. TERMINATION
22.1 This Agreement may be terminated forthwith by either Party on giving thirty (30)
days’ prior written notice to the other.
22.2 Notwithstanding the above, the Company shall obtain the written consent of
BNM if the Company wishes to terminate this Agreement under clause 22.1 and
if required by BNM, the Company shall provide BNM with solutions(s) mutually
acceptable to the Parties to address the problem(s) encountered by BNM
arising from such termination.
22.3 The Company shall not be entitled to terminate this Agreement under clause
22.1 if the Company fails to propose a solution(s) to BNM or if the solution(s)
proposed by the Company under clause 22.2 is not acceptable to BNM.
22.4 Notwithstanding clause 22.1 to 22.3 above, either Party may give a thirty (30)
days’ prior written notice to the other Party to terminate this Agreement, if:
(a) the other Party is in material breach of any terms, conditions, warranties
or any provisions of this Agreement and has failed to remedy that
breach, having been given sixty (60) days’ written notice to remedy the
breach, except as otherwise provided in this Agreement; or
(b) the other Party commits an act of bankruptcy, or a receiving order is
made against it, or it makes or negotiates for any composition or
arrangement for the benefit of its creditors or if a petition for its winding-
up has been presented against it in a court of competent jurisdiction, or
it becomes insolvent or ceases to carry on its business.
CONFIDENTIAL
Page 47 of 75 CONFIDENTIAL
22.5 Each Party shall fulfil all its obligations under this Agreement pending the
effective date of termination upon the issuance of notice under this clause. BNM
shall allow the personnel or agents of the Company to enter BNM’s premises
for the purpose of carrying out its outstanding obligations.
22.6 Any termination under clause 22.1 shall discharge the Parties from any liability
for further performance of this Agreement and BNM shall be entitled to be
repaid forthwith any sums previously paid in advance under this Agreement in
respect of the Services that were not provided in accordance with Schedule C
hereunder prior to the effective date of termination. In the event BNM terminates
this Agreement under clause 22.4, BNM may recover from the Company the
amount of any loss or damage suffered or incurred by BNM as a consequence
of such termination.
22.7 Termination of this Agreement shall not affect the accrued rights or
corresponding obligations of the Parties under this Agreement in so far as they
are capable of subsisting.
23. FORCE MAJEURE
23.1 The Parties hereto shall not be liable for failures or delays in performing their
obligations hereunder arising from any cause beyond their control, including but
not limited to, act of God, acts of civil or military authority, fires, strikes, lockouts
or labour disputes, epidemics, wars, riots, earthquakes, storms, typhoons and
floods and in the event of any such delay, the time for either Party's
performance shall be mutually extended for a period equal to the time lost by
reason of the delay. Save where such delay is caused by the act or omission
of the other Party in which event the rights, remedy and liabilities of the Parties
shall be those conferred and imposed by the terms of this Agreement and by
law.
23.2 In the event of any delay, the delaying Party shall promptly notify the other in
writing of the reasons for the delay and the likely duration of the delay, whereby
the performance of such Party’s obligations shall be mutually suspended during
the period that the conditions specified in the foregoing sub-clause persist and
such Party shall be mutually granted an extension of time for performance equal
to the period of the delay. Provided that if the conditions shall continue beyond
the duration of thirty (30) consecutive days, either Party may terminate this
Agreement forthwith by written notice to the other Party.
CONFIDENTIAL
Page 48 of 75 CONFIDENTIAL
24. WAIVER
24.1 Failure or neglect by either Party to enforce at any time any of the provisions
hereof shall not be construed nor deemed to be a waiver of the Party's rights
hereunder nor in any way affect the validity of the whole or any part of this
Agreement nor prejudice the Party's rights to take subsequent actions.
25. LEGAL FEES AND STAMP DUTY
25.1 Each Party shall bear its own legal fees and the stamp duty incurred herein
shall be borne by the Company.
26. SURVIVAL AND SUCCESSION
26.1 Terms or clauses related to confidentiality, whistle blowing, conduct of the
company and its personnel, intellectual property rights and indemnity, and
liability of this Agreement shall survive any termination of this Agreement.
26.2 The Agreement, in its entirety, shall inure to the benefit and be binding on the
successors, heirs and assigns of the Parties and the liability provision in clause
10 shall be extended to any affiliates, shareholders, personnel and employees
of either the Parties, as the case may be, and any successors, heirs and
assigns of any such person or entity.
27. SEVERABILITY
27.1 In the event that any of the terms, conditions or provisions contained in this
Agreement shall be deemed invalid, unlawful or unenforceable to any extent,
such term, condition or provision shall be severed from the remaining terms,
conditions and provisions which shall continue to be valid to the fullest extent
permitted by law.
28. INTELLECTUAL PROPERTY RIGHTS AND INDEMNITY
28.1 All contents and data provided in relation to the Services (collected, submitted,
processed and analysed by the Services) shall be and remain the sole property
of BNM, except any commercial data which BNM is not granted the license for.
BNM, as the proprietary, has the right to instruct the Company to securely
dispose any data at the end of service.
28.2 The Company shall indemnify BNM and hold BNM harmless. at its own
expense, in respect of any claim or action by a third party in the event that the
contents provided in relation to the Services infringes the intellectual property
rights (including without limitation any patent, copyright, registered design or
trademark) of any third party, provided that BNM:
CONFIDENTIAL
Page 49 of 75 CONFIDENTIAL
(a) promptly notifies the Company of any allegations of intellectual property
infringement forthwith upon becoming aware of the same;
(b) at the Company's request and expense, shall allow the Company or any
other party which the Company may nominate, either severally or jointly,
the right to conduct and/or settle all negotiations and litigation resulting
from any such claim, subject to the following conditions:
(i) the Company giving to BNM reasonable security as, from time to
time, required by BNM to cover the amount ascertained or agreed
or estimated, as the case may be, of any compensation,
damages, expenses and costs for which BNM may become liable;
and
(ii) the Company taking over such conduct within a reasonable time
after being notified of the claim in question; and
(c) shall, at the request of the Company, afford all reasonable assistance with such
negotiations or litigation, and shall be reimbursed by the Company for any out-of-
pocket expenses incurred in so doing.
28.3 The indemnity given under clause 28.2 shall not apply to infringement arising
out of the use of the contents provided by the Company in relation to the
Services outside of the Location including external distribution, production,
duplication or copied by any means, in whole or in part, without the prior written
consent of the Company.
29. PERSONAL DATA PROTECTION
29.1 Where the Company provides to BNM personal data of the Company’s
employees who shall be performing any part of the Services under this
Agreement (hereinafter be referred to as “Data Subjects”), the Company:
(a) shall obtain the consent of each Data Subject to allow BNM to process
the personal data of the Data Subject in accordance with the Personal
Data Protection Act 2010 (hereinafter referred to as “the PDPA”);
(b) undertakes that each Data Subject has read and understood BNM’s
Personal Data Protection Notice as set out in Schedule D;
(c) pursuant to clause 29.1(a), the Company shall submit to BNM prior to
the commencement of any part of the Services, the Personal Data
CONFIDENTIAL
Page 50 of 75 CONFIDENTIAL
Protection Consent form (hereinafter referred to as “the Consent form”)
that has been duly signed by each Data Subject; and
(d) in the event of any change to the Data Subjects, the Company shall
immediately require the new Data Subject to sign the Consent form and
submit the duly signed Consent form to BNM prior to the new Data
Subject performing any part of the Services.
29.2 Notwithstanding any clause to the contrary, the Company shall indemnify BNM
and keep BNM fully and effectively indemnified against all costs, claims
demands, expenses and liabilities of whatsoever nature arising out of or in
connection with any claim that the use or possession of the Personal Data by
BNM under clause 29.1 is in breach of any of the requirements under the PDPA.
30. DECLARATION OF RELATIONSHIP 30.1 The Company declares that –
(a) it is not an entity –
(i) in which BNM has significant influence in respect of financial and
operating decisions;
(ii) controlled by BNM by virtue of BNM’s shareholding, BNM’s
control of its board’s composition, BNM’s funding, the Company
being BNM’s subsidiary or associate, or the Company being the
subsidiary of BNM’s subsidiary or BNM’s associate; and
(b) neither the Company’s director nor person who has control and
significant influence over the Company is –
(i) BNM’s Key Management Personnel (BNM KMP);
(ii) the Close Family Member of BNM KMP;
(iii) the Close Family Member of BNM staff;
other than those already informed in writing to BNM .
30.2 During the tenure of the Agreement, the Company shall inform BNM in writing
within seven (7) days in accordance with the format set out in Schedule F within seven (7) days upon having knowledge of the existence of any relationship mentioned in clause 30.1 above.
30.3 Without prejudice to BNM’s other rights and remedies, BNM may terminate the
Agreement in the event that the Company fails to comply with clause 30. 30.4 For purposes of clause 30:
(a) “Key Management Personnel” of BNM are as follows – (i) Governor; (ii) Deputy Governor; (iii) Assistant Governor or equivalent;
CONFIDENTIAL
Page 51 of 75 CONFIDENTIAL
(iv) Board of Directors; or (v) any head of departments.
(b) “Close Family Member of the Key Management Personnel ” are as
follows – (i) spouse(s); (ii) children and their spouses; or (iii) dependants;
(c) “Close Family Member of BNM staff” are as follows –
(i) spouse(s); (ii) children and their spouses; (iii) dependants; (iv) parents; (v) parents in-law; (vi) siblings; or (vii) sibling's spouse and their children.
31. CONDUCT OF THE COMPANY AND ITS PERSONNEL
31.1 Before, during and after the duration of this Agreement, the Company shall
comply with BNM’s Vendor Code of Conduct (“VCOC”) provided in Schedule
E, including any updated versions of the VCOC published by BNM on its
website (http://www.bnm.gov.my).
31.2 The Company shall ensure that its employees and personnel have read and
understood the obligations specified in the VCOC.
31.3 The Company and its employees and personnel shall undertake to:
(a) notify BNM promptly of any breach, including possible breach, of the
VCOC, that it knows or has reason to believe has occurred or is likely to
occur; and
(b) co-operate fully with BNM on any investigations into any breach,
including possible breach, of the VCOC, including providing any
information requested by BNM.
B. Change of Personnel
31.4 The Company undertakes that the Personnel shall be available to perform the
Services to the satisfaction of BNM throughout the period of this Agreement.
During the duration of this Agreement, the Personnel shall be exclusively under
the supervision, direction and control of the Company.
31.5 The Company shall not change any of the Personnel without cause and without
the prior written consent of BNM. Failure on the part of the Company in
CONFIDENTIAL
Page 52 of 75 CONFIDENTIAL
complying with this requirement shall entitle BNM (without prejudice to BNM’s
other rights and remedies under the law) to claim for any loss or damage
sustained by BNM resulting from the failure on the part of the Company to
comply with the provision of the Personnel under clause 31.4.
31.6 In the event there is a need by the Company to change the Personnel due to
reasonable grounds accepted by BNM in writing, the Company shall provide
alternative Personnel who are of equal or better skill and knowledge and who
are accepted in writing by BNM. The Company shall provide BNM with a thirty
(30) working days written notice prior to the date of change of such Personnel.
In the event of failure on the part of the Company to give sufficient notice to
BNM or the alternative Personnel are not acceptable to BNM, BNM has a right
to terminate this Agreement and the Company shall (without prejudice to BNM’s
other rights and remedies under the law) forthwith refund to BNM all sums
previously paid to the Company under this Agreement.
31.7 BNM may at any time make objections to any of the Personnel provided in
clause 31.4 and to any alternative Personnel provided in clause 31.6. Upon
receipt of a written objection from BNM, the Company shall within a reasonable
time acceptable to BNM replace the Personnel to whom objection has been
made.
C. Security and Access
31.8 BNM shall, for the purposes of this Agreement, provide access to the premises
to the Personnel during normal working hours for the purposes of carrying out
of the Company’s obligations under this Agreement. BNM reserves the right to
refuse access to the Personnel who are in its absolute opinion unfit to be at the
premises. The Personnel shall strictly comply with BNM’s security procedures
and policies for access to the premises and throughout the period the Personnel
is at the premises.
[END OF CLAUSES]
CONFIDENTIAL
Page 53 of 75 CONFIDENTIAL
IN WITNESS WHEREOF the Parties hereto have executed this Agreement on the
date first written above.
Signed by )
for and on behalf of )
BANK NEGARA MALAYSIA )
(Authorised signatory)
Name:
NRIC No.:
Designation:
(Witness signatory)
Name:
NRIC No.:
Designation:
Signed by )
for and on behalf of )
[insert company name] )
(Company No.: XX) )
(Authorised signatory)
Name:
NRIC No.:
Designation:
(Witness signatory)
Name:
NRIC No.:
Designation:
CONFIDENTIAL
Page 54 of 75 CONFIDENTIAL
SCHEDULE A
AUTHORISED REPRESENTATIVES AND ADDRESSES
1. The Authorised Representatives of the Parties are as follows:-
(a) BNM: (i) Director, Risk Specialist and Technology Supervision Department, or in the absence of Director,
(ii) Deputy Director, Risk Specialist and Technology
Supervision Department (b) Company: (i) [name] [designation] (ii) [name] [designation]
2. Address of the Parties shall be as follows:-
To BNM: Director Risk Specialist and Technology Supervision Bank Negara Malaysia 1C, Jalan Dato’ Onn 50480, Kuala Lumpur Telephone No: The Company: [name of company] [address]
Telephone No: XX Facsimile No: XX (Attention: [name])
(END OF SCHEDULE A)
CONFIDENTIAL
Page 55 of 75 CONFIDENTIAL
SCHEDULE B
PRICE 1. Price
In consideration of the Company’s due performance of the Products and Services and
other obligations under this Agreement, BNM shall pay the Company the Price of:
Malaysian Ringgit: [value] (MYRXX) only as follows:
Packages
Subscribed Period
Amount
exclusive of
SST (MYR)
SST (6%)
(MYR)
Amount
inclusive of
SST (MYR)
Cybersecurity
Risk Rating
Tool
XX XX 2020 -
XX XX 2021 XX XX XX
TOTAL XX XX XX
The payment structure of the Price shall be as follows:
(The table below is for illustrative purpose only, the confirmed payment structure is subjected to the contract finalisation)
Payment structure for the Products and Services
Item
Description
Amount exclusive of
SST (RM)
SST (6%) (RM)
Amount inclusive of SST (RM)
Payment schedule
1. Cybersecurity Risk Rating Tool XX XX XX
[insert date of payment here]
TOTAL XX XX XX
Note:
Payment shall be made in accordance with the above stated payment schedule. If
in the reasonable opinion of BNM, the Company is in breach of any part of this
Agreement, BNM shall be entitled to be refunded with the portion of the Price for
Services which are not yet rendered and Services which are affected arising from
the Company’s breach of the Agreement by the Company without prejudice to any
other rights or remedies that may have accrued to BNM under the law or in this
Agreement and to the continuance in force of the appointment of the Company
under this Agreement.
CONFIDENTIAL
Page 56 of 75 CONFIDENTIAL
2. Manner of Payment
The payment of the Price referred to in paragraph 1 shall be payable by BNM to
the Company via electronic funds transfer into the account specified as follows:
(a) Name and address of bank:
(b) Account Number:
(c) Account type:
(d) Account Scheme
(END OF SCHEDULE B)
CONFIDENTIAL
CONFIDENTIAL
SCHEDULE C
PRODUCTS AND SERVICES
The Company shall provide the following Products to BNM:
a) Cybersecurity Risk Rating Tool
The Company shall provide the following Services to BNM:
b) Set up and commission the Cybersecurity Risk Rating Tool as per BNM’s requirements; a) Provide a implementation plan with detailed timeline; b) Provide 24/7 support, training and maintenance throughout the contract period; c) Ensure uninterrupted 24x7 services and support, designed with high availability and
comprehensive backup; d) Ensure sound and secure operation of the service; e) Provide a solution that applies various analytical techniques to efficiently build risk profiles
of the financial institutions based on various context and metadata. f) Enable a real time intelligence-led solution that is based on a consistent rating methodology
capable of presenting analysed intelligence in a manageable and actionable way g) Provide continuous visibility on potential external risks and automatically calculate a
dynamic cyber-risk rating for each financial institution to develop a comparative benchmark of the cyber risk landscape of the financial sector
h) Provide necessary technical support for any integration via API between Cybersecurity Risk Rating Tool and other systems;
i) Adhere to industry standard cybersecurity hygiene such as ENISA cyber hygiene; j) Ensure all data are not processed or used for any other purpose that is out of scope of
Cybersecurity Risk Rating Tool services; k) Provide user manuals and on-boarding training and/or knowledge sharing sessions to BNM
and Cybersecurity Risk Rating Tool users; l) Provide continuous industry cyber-risk situational awareness via dynamic rating, actionable
information and recommendations for security controls m) Provide impact analysis of threat trends affecting the industry, technology or region/global; n) Provide user-friendly and intuitive dashboard and reporting, with search and analysis
functionalities; o) Ensure secure data disposal (for data provided by BNM) at the end of service or at the
termination of service.
(END OF SCHEDULE C)
CONFIDENTIAL
Page 58 of 75
SCHEDULE D
PERSONAL DATA PROTECTION NOTICE
TO VENDORS / PROVIDERS OF GOODS/SERVICES Purpose of notice 1. This notice is issued pursuant to the requirements under the Personal Data Protection Act 2010 (PDPA) to all individuals who are vendors/providers of goods/services or the individual employees of the vendors/providers of goods/services –
(iii) engaged by Bank Negara Malaysia (BNM); or (iv) who submits any RFI/tender/proposal to BNM for such purpose, (referred to as “vendors”).
Tujuan Notis 1. Notis ini dikeluarkan selaras dengan keperluan-keperluan Akta Perlindungan Data Peribadi 2010 (APDP) kepada semua individu yang menjual/ membekal barangan/perkhidmatan atau pekerja penjual/pembekal barangan/perkhidmatan yang –
(iii) dilantik oleh Bank Negara Malaysia (BNM); atau (iv) menghantar apa-apa RFI/tender/tawaran untuk tujuan tersebut (dirujuk sebagai “pembekal”).
Processing of personal data 2. During the course of its dealings with you, BNM processes personal data of the vendors which include, but is not limited to, your name, IC number, address and other contact details. Pemprosesan Data Peribadi 2. Sepanjang tempoh urusan BNM dengan anda, BNM memproses data peribadi pembekal, termasuk, tetapi tidak terhad kepada, nama, nombor kad pengenalan, alamat dan maklumat hubungan lain. Purpose of processing personal data 3. The personal data is collected for, amongst others, the following purposes:
(e) assessing your suitability to be awarded the contract for which you have applied; (f) enforcing the rights and obligations in the contracts, including but not limited to, making payments for the
goods/services and maintaining the list of key personnel who will be responsible to carry out the rights and obligations of the vendors under the contracts;
(g) providing access to BNM’s premises; and (h) complying with any legal or regulatory requirements, including but not limited to, compliance with the withholding tax
requirements, or as permitted by law or authorised by any order of court. Tujuan Pemprosesan Data Peribadi 3. Data peribadi dikumpul bagi, antara lain, tujuan-tujuan berikut:
(e) menilai kesesuaian anda mendapat kontrak yang telah anda pohon; (f) melaksanakan hak-hak dan obligasi dalam kontrak-kontrak, termasuk tetapi tidak terhad kepada, membuat
pembayaran untuk barangan/ perkhidmatan dan menyimpan senarai kakitangan utama yang akan bertanggungjawab untuk menjalankan hak dan obligasi pembekal menurut kontrak-kontrak tersebut;
(g) memberi akses kepada premis BNM; dan (h) mematuhi mana-mana keperluan undang-undang peraturan, termasuk tetapi tidak terhad kepada pematuhan terhadap
keperluan cukai pegangan, atau seperti yang dibenarkan oleh undang-undang atau diberi kuasa oleh perintah mahkamah.
Disclosure of personal data 4. The personal data held by us shall be kept confidential. However, in order to exercise our rights and obligations under the contracts or to evaluate your RFI/tender/proposal to BNM, we may disclose your personal data to:
Departments within BNM;
Financial institutions;
Other parties authorised by you;
Regulatory and governmental agencies as permitted or required by law, authorised by any order of court or to meet obligations to regulatory authorities.
Pendedahan Data Peribadi 4. Data peribadi yang disimpan oleh BNM akan disimpan secara sulit. Walau bagaimanapun, bagi melaksanakan hak-hak dan obligasi di bawak kontrak atau untuk menilai RFI/tender/cadangan anda kepada BNM, BNM mungkin akan mendedahkan data peribadi anda kepada:
Jabatan-jabatan di dalam BNM;
Institusi kewangan;
Pihak lain yang anda benarkan;
Agensi penguatkuasa dan kerajaan sepertimana yang dibenarkan atau dikehendaki oleh undang-undang, dibenarkan oleh mana-mana perintah mahkamah atau untuk memenuhi obligasi kepada mana-mana pihak penguatkuasa.
Protection of personal data 5. The security of your personal data is ensured by BNM as we shall take all physical, technical and organisational measures needed to ensure the security and confidentiality of your personal data. If we disclose any of your personal data to any entities, we will require them to appropriately safeguard the personal data provided to them. Perlindungan data peribadi 5. Keselamatan data peribadi anda adalah dijamin oleh BNM kerana kami akan mengambil semua langkah fizikal, teknikal dan organisasi yang diperlukan bagi memastikan keselamatan dan kerahsiaan data peribadi anda. Sekiranya kami mendedahkan data peribadi anda kepada mana-mana pihak, kami akan memastikan bahawa pihak tersebut mengambil langkah yang
CONFIDENTIAL
Page 59 of 75
sepatutnya bagi memastikan keselamatan data peribadi yang diberi kepada mereka. Retention of personal data 6. It is BNM’s policy to destroy personal data of the vendors within seven (7) years after the contract has been awarded or after the conclusion of the contract, whichever is applicable. Penyimpanan data peribadi 6. Ianya merupakan polisi BNM untuk memusnahkan data peribadi pembekal dalam tempoh tujuh (7) tahun selepas kontrak telah diberi atau selepas kontrak telah selesai, di mana ia terpakai. Access of personal data 7. Under the PDPA, you have the right to access your personal data to ensure that the personal data we hold about you is accurate, complete, not misleading and up-to-date. If you wish to exercise such rights and request access to your personal data, please contact us by completing our “Personal Data Access/Correction Request Form” (as attached) and forwarding it to:- Name : Designation : Address : Direct Line : Facsimile No. : Email address : Akses kepada data peribadi 7. Di bawah PDPA, anda mempunyai hak untuk mengakses data peribadi anda untuk memastikan data yang kami simpan mengenai anda adalah tepat, lengkap, tidak menyeleweng dan terkini. Jika anda ingin menggunakan hak tersebut dan memohon akses kepada data peribadi anda, sila hubungi kami dengan mengisi “Borang Akses/Pembetulan Data Peribadi” (seperti yang dilampirkan) dan hantarkan ke:-
Kindly sign and acknowledge Consent Form below by e-mail to [email protected] or fax +603-91792158 that you have read and understood this Notice and you consent to the processing of your personal data by BNM. Sila tandatangan dan maklumkan kepada kami penerimaan Notis ini melalui e-mel ke [email protected] atau faks +603 – 91792159 bagi menyatakan bahawa anda telah membaca dan memahami Notis ini dan anda membenarkan pemprosesan data peribadi anda oleh pihak BNM.
CONSENT FORM
To : Bank Negara Malaysia I hereby acknowledge that I have read and understood this Personal Data Protection Notice and by signing this, I consent to the processing of my personal data by BNM in accordance with the terms of this Notice. Saya dengan ini mengakui yang saya telah membaca dan memahami Notis Perlindungan Data Peribadi ini dan dengan menandatangani dokumen ini saya membenarkan pemprosesan data peribadi saya oleh BNM berdasarkan syarat-syarat di dalam Notis ini.
------------------------- Name / Nama :
I/C No :
Date/ Tarikh :
CONFIDENTIAL
Page 60 of 75
Personal Data Access/Correction Request Form
NAME
IC NO/STAFF ID TEL. NO/EXT.
NO
EMAIL ADD.
TYPE OF REQUEST & TYPE OF PERSONAL
DATA
REASON
- I hereby request to access/correct my personal data that is being processed by * ..............................
………………………………………………………………………………………… (hereinafter ‘the data
user’).
- I confirm that the details above are correct and acknowledge that should there be any incorrect or
incomplete information or any circumstances provided under section 32 of the Personal Data Protection
Act 2010, the data user may refuse to give me access to my personal data.
- I also acknowledge that if the data user, for whatever reason, is unable to comply with this request
within 21 days from today, they would notify me in writing, explaining the reasons, before the 21 days
has lapsed.
- I confirm that all correction that I would make to my personal data, if any, is correct and up-to-date.
SIGNATURE
DATE
* Please fill in the name of the department that processes the personal data.
……………………………………………………………………………………………………………………....
To be filled in by the data user as an acknowledgment of receipt:
NAME
STAFF ID EXT. NO
SIGNATURE
DATE
CONFIDENTIAL
Page 61 of 75
Borang Permohonan Akses/Pembetulan Data Peribadi
NAMA
NO KP/ID STAF NO TEL/NO
SAMB.
ALAMAT EMEL
JENIS PERMOHONAN & JENIS DATA PERIBADI
TUJUAN
- Saya dengan ini ingin memohon akses/membuat pembetulan kepada data peribadi saya yang sedang
diproses oleh * ..............................………………………………………………………...................
…………………………………………………(yang mana selepas ini disebut sebagai ‘pengguna data’).
- Saya mengesahkan bahawa maklumat-maklumat di atas adalah benar dan mengambil maklum
bahawa pengguna data berhak untuk tidak memberikan akses data peribadi saya kepada saya
sekiranya maklumat di atas mengandungi sebarang kesilapan ataupun tidak lengkap atau terdapat
mana-mana keadaan seperti yang diperuntukkan di bawah seksyen 32 Akta Perlindungan Data
Peribadi 2010.
- Saya juga jelas bahawa, sekiranya permohonan ini gagal, oleh apa-apa sebab sekalipun, pengguna
data akan memaklumkan kepada saya secara bertulis dalam masa 21 hari bermula daripada hari ini
untuk menerangkan sebab-sebab permohonan saya ditolak.
- Saya mengesahkan bahawa semua pembetulan yang akan saya lakukan terhadap data peribadi saya,
jika ada, adalah betul dan terkini.
TANDATANGAN
TARIKH
* Sila nyatakan nama jabatan yang memproses data peribadi anda. ………………………………………………………………………………………………………………………… Untuk diisikan oleh pengguna data sebagai bukti penerimaan:
NAMA
ID STAF NO SAMB.
TANDATANGAN
TARIKH
(END OF SCHEDULE D)
CONFIDENTIAL
Page 62 of 75
SCHEDULE E
VENDOR CODE OF CONDUCT
Please refer to the attached Vendor Code of Conduct *For declaration of relationship pursuant to clause 30, please disregard Appendix 2 of the VCOC and refer to Schedule F.
(END OF SCHEDULE E)
CONFIDENTIAL
Page 63 of 75
SCHEDULE F
BANK NEGARA MALAYSIA (BNM) DECLARATION OF RELATIONSHIP BY VENDOR*
Name of Contract : _____________________________________________________ Vendor’s Name and : _____________________________________________________ Company No. (if applicable) I, ______________________________________ (NRIC No./Passport No.: ______________________), the undersigned / acting as the authorised representative of the Vendor, hereby declare that – Section A: To be filled if Vendor is an individual
I am a Close Family Member of BNM KMP** or Close Family Member of BNM staff***
Section B: To be filled if Vendor is an entity
BNM has significant influence over the Vendor in respect of its financial and operating decisions
The Vendor is controlled by BNM by virtue of BNM’s shareholding, BNM’s control of its board’s composition, BNM’s funding, the Vendor being BNM’s subsidiary or associate, or the Vendor being the subsidiary of BNM’s subsidiary or BNM’s associate
The director or person who has control or significant influence over the Vendor as listed in the schedule below is BNM KMP****, Close Family Member of BNM KMP** or Close Family Member of BNM staff***:
No Name Position
in Vendor
Name of BNM KMP or BNM staff, if applicable
Relationship, if applicable
1. 2.
I hereby declare that I have carefully read and completed this form myself and provided current and accurate information to the best of my knowledge.
Signature
Name of Signatory Position Date:
FOR BNM’S OFFICIAL USE ONLY
No Name Relationship 1. 2.
* “Vendor” refers to BNM’s counterparty under the Contract as named above which or who is referred to in the Contract as either the Service Provider, Supplier, Company, Tenant, Landlord, Consultant, or any other name.
** “Close Family Member of BNM KMP” refers to the spouse, children and their spouses, dependants, of BNM’s Key Management Personnel (BNM KMP)
*** “Close Family Member of BNM staff” refers to spouse, children and their spouses, dependants, parents, parents in-law, siblings, sibling's spouse and their children, of BNM staff
**** “BNM KMP” refers to BNM’s Governor, Deputy Governors, Assistant Governors and equivalent, BNM’s Board of Directors and Directors / Heads of Departments.
CONFIDENTIAL
Page 64 of 75
Confirmation of receipt by budget owner or assigned department:
Signature
Name Department Date
Confirmation of receipt by Strategic Human Capital Department:
Signature
Name
Date
Confirmation of receipt by Board Secretariat Unit:
Signature
Name
Date
(END OF SCHEDULE F)
CONFIDENTIAL
Page 65 of 75
APPENDIX D
Implementation of Cyber Security Risk Rating Tool
SECTION A.1 - STATEMENT OF COMPLIANCE WITH BASE TENDER (TO BE TYPED ON THE TENDERER'S OFFICIAL LETTERHEAD) BANK NEGARA MALAYSIA Jalan Dato’ Onn 50480 Kuala Lumpur Dear Sir Implementation of Cyber Security Risk Rating Tool STATEMENT OF COMPLIANCE Having examined the Request for Proposal (RFP) document, addenda and clarifications, we warrant that for the Base Tender, our tender submission fully / partially complies with the provisions of the above said Request for Proposal (RFP) document, addenda and clarifications without any deviation, exception or qualification. Date this .............................. day of .............................. 2020 Signature ...................................................……… Name ........................................................…. Designation ....................................................……. Company Stamp ........................................................... Witness Signature ...................................................……… Name ........................................................…. NRIC No. ....................................................…….. Address ....................................................…….. ....................................................…….. ....................................................……..
RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL
66
SECTION A.2 – COMPLIANCE MATRIX
A.2.1 TECHNICAL & BUSINESS REQUIREMENTS (Details of the requirements are provided in Part B, Section 3 and 4 of the main Request for Proposal document) Part B: Section 3.0 – Technology and Service Requirements
NO REQUIREMENT COMPLIANCE STATEMENT
JUSTIFICATION
2.2 The cyber risk rating tool is to be delivered by the Tenderer to BNM on a subscription based model.
3.0 Cyber Security Risk Rating Tool Requirements (Technical Requirements)
3.1.1 General
3.1.1.1 The proposed solution must be delivered on a subscription model and may be integrated as cloud-based components.
3.1.1.2
The proposed solution’s web interface must be supported at minimum by prevailing browsers such as Microsoft Internet Explorer, Microsoft Edge, Google Chrome and Apple Safari. Optionally, the proposed solution may also be accessed via mobile application supported by Apple iOS and Google Android
3.1.1.3
The Tenderer must ensure that the proposed service is secure and any data provided by BNM on related FIs are retained securely and confidentially
3.1.1.4 The Tenderer must provide support and maintenance throughout the contract period (preferably by onsite/customer call centre);
3.1.1.5
The Tenderer must be able to provide general support and usability training for users as required by BNM. All user manuals must also be provided and updated if required.
3.1.1.6
All financial institutions data submitted by BNM which are processed and analysed by the tool are owned by BNM and respective financial institutions.
3.1.1.7 All data as mentioned in 3.1.1.6 must not be processed or used for any other purpose
3.1.1.8
The proposed solution is required to be able to retain at least twelve (12) months of online data for analysis purposes and provide options for exporting / archiving post duration data either automatically or manually.
3.1.1.9
The proposed solution must be capable to provide user activity log or user audit trail. These logs and audit trail must be kept for a minimum of twelve (12) months period.
3.1.2.1 Data Source and Exporting
3.1.2.2 The proposed solution must be able to automatically collect and analyse external
RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL
67
risk indicators or information from a wide range of sources such as, but not limited to, surface, deep and dark web channels.
3.1.2.3
The proposed solution must be capable to export/archive data in a variety of data formats, either automatically or manually, all of which can be configured through the user interface (web portal), such as, but not limited to:
API;
CSV;
PDF, Word, Txt; and
XML;
Please cite if the solution can support format
other than mentioned above.
3.1.2.3 The proposed solution should be able to support data restoration capabilities for a variety of data formats
3.1.3 Rating Tool Requirements
3.1.3.1
The proposed solution must provide the capability to easily create and maintain watch list for tracking and/or prioritizing of financial institutions
3.1.3.2
The proposed solution must be able to automate the collection, contextualization and analysis of externally available risk data to assess the financial institutions cyber hygiene and risk exposure levels;
3.1.3.3
The proposed solution must be capable to provide a dynamic external exposure rating for each defined financial institutions based on external risk threat or vulnerability information.
3.1.3.4
The proposed solution must be able to provide proactive tracking and remediation suggestions for all critical and high vulnerabilities identified
3.1.3.5
The proposed solution must ensure that the risk ratings for managed financial institutions is refreshed frequently, incorporating new information collected and updated tracking of security controls
3.1.3.6
The proposed solution must be able to provide local comparative benchmark rating of the cyber-risk landscape of the financial sector
3.1.3.7
The proposed solution is preferred to have the capability to provide automated predictive analysis from gathered information.
3.1.3.8 The proposed solution must allow BNM to incorporate customized thresholds, acceptance levels and rating benchmarks.
3.1.3.9
The proposed solution must be able to keep track of the FIs history, growth and comparison levels up to a period of twelve (12) months. The solution must also provide
RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL
68
exporting or archiving options to automatically or manually store post duration information and related charts, graphs and reports.
3.1.3.10
The proposed solution must provide the capability to perform entity attributions and risks analysis for the managed financial institutions
3.1.3.11
The proposed solution must have a consistent rating methodology where the rating efficacy and assessed criteria are transparent.
3.1.3.12
The proposed solution must be consistently updated to be able to effectively track cyber risk trends that post potential risks to the financial sector
3.1.3.13
The proposed solution must be able to provide continuous monitoring and analysis on external risk exposures via dynamic risk rating. This should comprehend the industry cyber risk situational awareness, provide actionable intelligence and recommendations for security controls.
3.1.3.14
The proposed solution must provide the
capability to apply custom tagging, labelling
or marking.
3.1.4 Visualization
3.1.4.1
The proposed solution must be capable to provide real-time fixed or customizable graph-based data representations and trending analysis.
3.1.4.2
The proposed solution must provide a user-friendly and intuitive dashboard functionality with charts, graphs and general comparative analysis information made available
3.1.4.3 The proposed solution must provide in-depth analysis / description for graphs/charts and related data representations.
3.1.4.4 The proposed solution must be able to display profile of the external state of cyber risk rating of each financial institution.
3.1.4.5
The proposed solution must be capable to provide real-time built-in benchmarking or peer comparative analysis functionality between local financial institutions with highlights of critical indicators/areas.
3.1.4.6
The proposed solution is preferred to have the capability to provide regional and global level benchmarking and comparisons for both individual financial institutions and the Malaysian financial sector.
3.1.4.7
The proposed solution must be able to provide timeline based (e.g. by week, by month, by quarter, by year) graphs/charts to keep track and compare historical data and FIs growth.
RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL
69
3.1.4.8
The proposed solution must use colour indicators or icons to help illuminate, visualize, prioritize and highlight risk levels via the rating structure.
3.1.4.9
The proposed solution is preferred to have the capability to provide customizable dashboard requirements or built-in widget options.
3.1.5 Performance
3.1.5.1
The proposed solution must have at least twelve (12) months of online retention of data analysis and reports which can be used by BNM to perform search and analysis functions.
3.1.5.2 The proposed solution must be designed for high availability and comprehensive backup
3.1.5.3
The proposed solution must provide search, sorting and filtering functionalities to allow for comparative analysis and filtering of relevant information. The functionality should support multiple criteria sets such as by keywords, sector, country, timeline and more which can be saved.
3.1.6 Security
3.1.6.1 The proposed solution must use secured HTTPS connection, encrypted with TLS 1.2 or latest secured version
3.1.6.2
The proposed solution’s portal must have a secure digital certificate that uses strong cryptography algorithms based on the industry standard.
3.1.6.3 The proposed solution must be periodically updated with the latest security and application/system updates.
3.1.6.4 The proposed solution must support user password management capabilities
3.1.6.5
The proposed solution must have secure encryption controls in place for all data provided by BNM that will be stored in the solution platform environment.
3.1.6.6 The proposed solution must be capable to support multi-factor authentication (MFA) for login functionality.
3.1.7 Notification and Sharing
3.1.7.1
The proposed solution must have the capability of displaying/sending notifications or alerts to BNM based on customizable pre-defined criteria’s such as, but not limited to, alerting high priority vulnerabilities, alerting when a financial institute drops below fixed rating threshold.
3.1.7.2
The proposed solution is preferred to have automated mechanisms to allow sharing of information between BNM and financial institutions as required.
3.1.7.3 The proposed solution is preferred to have the capability to sanitize or anonymize the
RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL
70
information as required for appropriate sharing by BNM
3.1.8 Reporting Requirements
3.1.8.1
The proposed solution must be capable of automatically generating various comprehensive and visually supplemented reports which can be seamlessly exported as required. These reports are preferred to be generated in the following formats such as PDF, Word, HTML and/or HTML.
3.1.8.2
The proposed solution must be able to automatically produce reports based on defined criteria’s and timeline’s (by week, by month, by quarter, by year). These reports must cover the intended objectives of the tools such as, but are not limited to,
Detailed individual FI profile rating and cyber-risk landscape reports;
Comparison and benchmarking reports; and
Observations and recommendations for security controls.
3.1.8.3
The proposed solution must be capable of generating both high level and detailed reports for individual financial institutions managed and for general industry comparison and peer benchmarking
3.1.8.4 The proposed solution is preferred to have the capability to support report customization capabilities.
3.1.9 Additional Requirements
3.1.9.1
The Tenderer must have processes to ensure secure data disposal for all data provided by BNM, at the end of service period or at the termination of service
3.1.9.2 The proposed solution is preferred to provide capabilities to act as a platform for tracking security compliance issues
3.1.9.3 The proposed solution is preferred to provide third/fourth party risk assessment and rating capabilities.
3.1.9.4
Upon tender award, the Tenderer must apply a methodological approach to ensure the implementation of the service is completed in the required timeline with quality and impactful results
Note: The Tenderer is required to complete the Compliance Matrix above. Please refer to the RFP for your reference and detail information.
RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL
71
APPENDIX E-1
Implementation of Cybersecurity Risk Rating Tool Cost Summary
Company: ____________________________ A. Implementation of Cybersecurity Risk Rating Tool
Note: The service agreement is for one (1) year initial subscription followed by yearly renewal, subject to performance evaluation by BNM. OPTIONAL B. Additional participating entities fee (based on entity number licensing model)
Note: Tenderer can leave this table blank if it offers a blanket costing model for the services; e.g. Tenderer charges a yearly lump-sum subscription fee regardless of the number of entities on boarded. *Please state minimum number of entities required to be on boarded.
RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL
72
OPTIONAL C. Additional participating entities fee (based on slot licensing model)
Note: Tenderer can leave this table blank if it offers a blanket costing model for the services; e.g. Tenderer charges a yearly lump-sum subscription fee regardless of the number of slots offered. *Please state minimum number of entities required to be on boarded.
Name
Designation
Signature
Date
Company Stamp
RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL
73
APPENDIX E-2
Implementation of Cybersecurity Risk Rating Tool Detailed Costing
(Breakdown in Cost) For 1st year subscription
The Tenderer shall provide detail information on the detailed breakdown cost of this project, where applicable in the table below. Name of company: <pls state your company name>
*Example: annual license, support services, training, additonal licenses and costs, … Note: The service agreement is for one (1) year initial subscription followed by yearly renewal, subject to performance evaluation by BNM.
RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL
74
For 2nd year subscription
*Example: annual license, support services, training, additonal licenses and costs, … Note: The service agreement is for one (1) year initial subscription followed by yearly renewal, subject to performance evaluation by BNM.
For 3rd year subscription
*Example: annual license, support services, training, additional licenses and costs, …
RFP – Cybersecurity Risk Rating Tool CONFIDENTIAL
75
Note: The service agreement is for one (1) year initial subscription followed by yearly renewal, subject to performance evaluation by BNM.