MAS Technology Risk Management Guidelines: what you need to know

Written by
RMI Team (F)

On 18 January 2021, the Monetary Authority of Singapore (MAS) released their latest Technology Risk Management (TRM) Guidelines 2021, developed in close collaboration with leading cybersecurity experts. The revised guidelines address current and emerging risks related to digital transformation and the growing use of technologies such as cloud computing and application programming interfaces (APIs) in the financial services industry.

These TRM Guidelines apply to all licensed financial institutions (FIs) in Singapore, including service providers such as:

  • Funding and investment-related companies
  • Insurance companies and reinsurers
  • Banks, including wholesale banks and financial holding companies
  • Credit and payments-related companies
  • Market operators and financial exchanges

Here are 7 points that financial business leaders should take note of to strengthen cyber resilience against technology risks.

Expanded responsibilities for the board of directors and senior management

The revised TRM Guidelines introduce additional roles and responsibilities for the board of directors and senior management in ensuring that their organisations adopt sufficiently robust technology risk governance. These include:

  • Appointing a Chief Information Officer (or its equivalent) and a Chief Information Security Officer (or its equivalent) with requisite experience and expertise
  • Ensuring that the board of directors and senior management include members with knowledge of technology and cyber risks, and undergo cybersecurity training if necessary
  • Having sufficient oversight over technology risks and play an active role in key IT decisions
  • Establishing internal processes to enable effective reporting of technology matters to higher management
  • Adopting a risk appetite and risk tolerance statement

Extended oversight to include all third parties, not just outsourced service providers

Some third-party services may not constitute outsourcing, but as long as they process, transmit or store confidential or sensitive customer information, FIs should take measures to minimise risks of a third-party system failure or security breach.

Leaders are asked to assess and review their third-party partners’ risk governance measures to ensure that a high standard of care and diligence is employed with regard to data privacy, cybersecurity and system resilience – both before entering into a new contractual agreement, and on an ongoing basis.

New guidelines related to in-house software development

With APIs increasingly being used in the financial services industry to facilitate crossplatform collaboration, MAS recognises the need for any APIs developed and managed inhouse to adhere to strict security standards.

Section 6 of the TRM Guidelines outlines standards that FIs should adopt regarding secure coding, source code review and application security testing. It also advises on proper governance of third-party API access, and puts forth recommendations such as real-time monitoring of API calls, and having FIs vet and manage their end-users’ applications risks.

New section on cybersecurity operations and assessment measures

Financial leaders are advised to procure cyber intelligence monitoring services and subscribe to cyber intelligence sharing platforms such as FS-ISAC, IT-SAC, SingCERT or CVE to address operational risk. These services also improve the resilience of their organisations against common cyberthreats including malware and active cyberattacks.

Other recommendations include detecting and responding to misinformation propagated via the internet; establishing cyber incident response capabilities; carrying out penetration testing; and conducting scenario-based cyber exercises involving key stakeholders and senior management.

New section on managing employee device use

With remote and hybrid work, Bring Your Own Device (BYOD) – where employees use personal devices to access business information and systems – is now commonplace. To manage the increased risk of cyberattacks targeted at personal devices, FIs are required to revise their BYOD policies and procedures with stronger security controls, such as with Mobile Device Management or virtualisation solutions.

New section on data and infrastructure security

In the future of distributed work, FIs need to ensure their endpoints are secure. The Center for Internet Security (CIS) Benchmarks are a good reference for secure configuration and hardening of endpoint protection. Leaders should also look at using Network Intrusion Protection Systems and Network Access Control to detect and block malicious traffic.

The proliferation of the Internet of Things (IoT) has also prompted the 2021 TRM Guidelines to include policies and procedures to manage IoT security, such as the use of sandboxed browsing and network segregation between IoT devices and the core operating network.

New security requirements for online financial services

As more financial transactions and communications are happening via digital channels, FIs are required to strengthen their encryption, security and control measures to ensure better protection against data leaks, phishing attacks and malware.

Beyond improving the security of their digital channels, leaders should also not lose sight of fundamental operational risks, including customer authentication, secure transaction signing, fraud monitoring and customer education on proper cybersecurity hygiene.

Don’t be the weak link in an interconnected financial ecosystem

The 2021 revisions to the TRM Guidelines are an acknowledgement that while digital transformation brings significant benefits, it also increases businesses’ exposure to certain risks, including operational and cybersecurity risks.

While the guidelines are not legal obligations per se, they do put forth best practice standards and principles for managing some of the most critical technology risks in financial services today. Additionally, how well an FI observes and follows these TRM Guidelines may have an impact on MAS’s overall risk assessment. These reasons alone should serve as sufficient motivation for financial services leaders to take another look at the gaps in their current risk management plans.