PAYNET Cyber Resilience Independent Assessment — AKATI Sekurity
+Secure | Governance & Compliance

PAYNET Cyber Resilience Assessment

Not Just Compliance — Build a Resilient Payment Ecosystem

Financial transactions never stop. Neither do cyber threats. As a PAYNET Participant, ensuring cyber resilience goes beyond compliance — it's about guaranteeing the security, availability, and continuity of your payment services. A single cyber incident can disrupt operations, compromise customer data, and erode institutional confidence.

AKATI Sekurity's Cyber Resilience Independent Assessment goes beyond the standard audit. We stress-test your cybersecurity framework, assess your ability to detect and respond to threats, and identify gaps before they become crises.

PAYNET Guidelines v2.1
Independent Assessment
BNM CRMA Aligned
CREST Approved

PAYNET Mandate. The Guidelines on Cyber Resilience for Participants of PayNet Services (Version 2.1) establish essential cybersecurity and resilience expectations for all Participants — covering prevention, detection, response, and recovery from cyber threats across Malaysia's digital payment infrastructure.

Guidelines v2.1
Key Requirements

PAYNET Cyber Resilience Guidelines

The guidelines establish four key pillars of cyber resilience for all PAYNET Participants. Click each pillar to explore the specific requirements and submission obligations.

Pillar 1

Cyber Resilience Maturity Assessment (CRMA)

PAYNET requires Participants to evaluate their cyber resilience maturity using BNM's CRMA framework — a structured approach to measuring cyber risk maturity and security capabilities across the organisation.

  • Participants engaged by BNM must complete the CRMA Self-Assessment Test (SAT) and Self-Assessment Questionnaire (SAQ)
  • Submission in Excel format to PAYNET by 31 December each year
  • Official BNM CRMA Report must be provided once available
  • Participants must comply with CRMA requirements at all times
  • Supporting documents must be provided upon PAYNET's request
Pillar 2

Independent Cyber Resilience Assessment

Participants not subject to BNM's CRMA must conduct an annual independent assessment of their cyber resilience using PAYNET's approved assessment template — performed by qualified internal teams or outsourced cybersecurity firms.

  • Annual independent review using PAYNET's approved assessment template
  • May be conducted by Internal Audit, IT Risk Management, or Compliance
  • Alternatively performed by a qualified outsourced cybersecurity firm
  • Completed assessment report due to PAYNET by 31 December each year
  • Must cover governance, security controls, continuity, and response capabilities
Pillar 3

Incident Response & Mandatory Reporting

All Participants must report cyber incidents affecting PAYNET systems or services — including successful attacks and near misses. Strict timelines govern notification, updates, and full incident reporting.

  • Report any cyber incident affecting PAYNET systems, including near misses
  • 1–3 hours after confirmation: notify PAYNET and submit initial report
  • Every 12 hours during recovery: provide containment and resolution updates
  • Within 72 hours after recovery: submit full incident report
  • Reports submitted via Cyber Security Incident Report Template (Appendix A) to CRWG@paynet.my
  • PAYNET may request details on non-PAYNET incidents that pose ecosystem risk
Pillar 4

Enforcement & Penalty Charges

Non-compliance with cyber resilience guidelines carries tangible consequences — from monetary penalties to service suspension. PAYNET determines actual penalties based on violation severity and risk assessment.

  • Monetary penalties of up to RM5,000 per non-compliance issue annually
  • Suspension of PAYNET services for significant or repeated non-compliance
  • Penalty severity determined at PAYNET's discretion based on risk assessment
  • Applies to all obligations: CRMA submission, independent assessments, and incident reporting
Mandatory Reporting

Incident Response Timeline

When a cyber incident is confirmed, PAYNET mandates a strict escalation timeline. Every hour counts — and the reporting obligations are non-negotiable.

Immediate
1–3 hrs

Initial Notification

Notify PAYNET via official communication platform and submit initial incident report within 1–3 hours of confirming the incident.

Ongoing
Every 12 hrs

Recovery Updates

Provide updates every 12 hours during the recovery period — covering containment actions, eradication progress, and resolution status.

Post-Recovery
72 hrs

Full Incident Report

Submit a comprehensive incident report to PAYNET within 72 hours after recovery. Report using the Cyber Security Incident Report Template (Appendix A).

Reporting Channel: All incident reports must be submitted to CRWG@paynet.my using the prescribed template. If a cyberattack on a non-PAYNET system could pose ecosystem risk, PAYNET reserves the right to request further details.

Assessment Pathways

CRMA or Independent — Which Applies to You?

PAYNET recognises two assessment pathways depending on whether your organisation is engaged by BNM for CRMA. Both lead to the same destination: demonstrated cyber resilience by 31 December annually.

Pathway A

BNM CRMA Participants

Organisations engaged by Bank Negara Malaysia under the CRMA framework submit their self-assessment directly.

  • Complete CRMA SAT & SAQ in Excel format
  • Submit to PAYNET by 31 December annually
  • Provide official BNM CRMA Report when available
  • Maintain compliance with CRMA at all times
Pathway B

Independent Assessment

Participants not subject to BNM's CRMA must engage an independent assessor — internal or external — to evaluate cyber resilience.

  • Use PAYNET's approved assessment template
  • Conducted by Internal Audit, IT Risk, Compliance, or qualified external firm
  • Submit completed report to PAYNET by 31 December
  • AKATI Sekurity is qualified to perform this assessment
Consequences

Non-Compliance Penalties

PAYNET enforces its cyber resilience guidelines with tangible consequences. The cost of non-compliance is real — and extends beyond financial penalties to operational risk.

Monetary
RM5,000

Per Non-Compliance Issue Annually

Monetary penalties of up to RM5,000 per non-compliance issue per year. Actual penalty depends on the severity of the violation and PAYNET's risk assessment.

Operational
Suspension

PAYNET Service Suspension

For significant or repeated non-compliance, PAYNET may suspend access to payment network services — directly impacting your ability to process transactions.

Why AKATI Sekurity

From Compliance to True Resilience

Compliance keeps regulators satisfied. Resilience keeps your business running. AKATI Sekurity focuses on real-world security outcomes — not just checkboxes.

Resilience, Not Just Compliance

We stress-test your defences against realistic threat scenarios — going far beyond checklist-driven audits to build genuine cyber resilience.

Independent & Unbiased

We don't sell security products. We don't take shortcuts. We exist to find what others miss — with no conflicts of interest.

Actionable, Not Theoretical

Every finding comes with tested, practical remediation recommendations your team can implement immediately — no vague advisory language.

Zero-Disruption Assessment

Your payment operations don't stop. Our methodology delivers deep insights with minimal operational impact — structured around your business cycles.

Credentials & Frameworks
QSA Certified
ASV Certified
CREST Approved
ISO 27001
BNM RMiT
BNM CRMA
PAYNET
Next Step

Is Your Cyber Resilience Ready?

Threats are getting smarter. Your security should be too. Schedule your independent Cyber Resilience Assessment with AKATI Sekurity — your ultimate test against cyber threats.

Schedule Your Assessment →

hello@akati.com  |  akati.com

← Return to Governance & Compliance Page