1 February 2021
This revised MAS Technology Risk Management Guidelines sets out technology risk management principles and best practices to guide financial institutions to:
Establish sound and robust Technology Risk Governance and Oversight
Maintain Cyber resilience
On 18th January 2021, the Monetary Authority of Singapore (“MAS”) issued the new Technology Risk Management Guidelines (“2021 Guidelines”), which updated the previous Technology Risk Management Guidelines in 2013 (“2013 Guidelines”).
The revised guidelines focus on addressing technology and cyber risks in an environment of growing use of cloud technologies, application programming interfaces, and rapid software development by financial institutions (FIs). The Guidelines reinforce the importance of incorporating security controls as part of FIs’ technology development and delivery lifecycle, as well as in the deployment of emerging technologies. These guidelines apply to all Financial Institutions (“FIs”), which also includes payment services licensees.
Categories of amendments
Additional guidance on roles and responsibilities of Board of Directors and Senior Management.
More stringent assessments of third-party vendors and entities that access the FI’s IT systems.
Introduction of monitoring, testing, reporting and sharing of cyber threats within the financial ecosystem.
“Technology now underpins most aspects of financial services. Not only are financial institutions adopting new technologies, they are also increasingly reliant on third-party service providers”
Tan Yeow Seng, MAS Chief Cyber Security Officer
Key Changes in the 2021 guidelines
Expanded roles and responsibilities for Board of Directors and Senior Management
The Board and Senior management should ensure that a Chief Information officer (or its equivalent) and a Chief Information Security Officer (or its equivalent) with requisite experience are appointed to manage the technology and cyber risks.
The Board and Senior Management should include members with knowledge of technology and cyber risks.
Assessment of Tech Vendors
Establish standards and procedures for vendor evaluation, this assessment includes (but not limited to) analysis of vendor software development, quality assurance and security practices.
Adopt a risk-based approach when assessing the robustness of the software vendor’s security and quality assurance practices.
Obtain an undertaking from the software vendor on quality of software to gain assurance that the third-party software is secure.
Assessment of third parties’ suitability in connecting to Application Programming Interface (APIs) and governing third party’s API access
Adequate screening process for assessing third party entities that wish to access their Application Programming Interface (“API”)
Key aspects on the scope of API guidelines:
Using strong encryption for secure transfer of data
Monitoring usage of APIs
Detection of suspicious activities and revoking access in the event of security breach.
Cyber threat management and incident reporting
Establish a process of collecting, processing, and analysing cyber related information and should be strengthened by cyber intelligence monitoring services.
Should have a security operation’s centre or acquire managed security services to facilitate, continuous monitoring and analysis of cyber events.
Cyber Incident Response and Management
Cyber Incident Response and Management plan should be in place to isolate and neutralize a cyber threat and to securely resume affected services.
Investigate and identify security or control deficiencies and lay out communication, coordination, and response procedures to address such threats.
Cyber security assessments
Vulnerability assessment to include vulnerability discovery process, identification of weak security configurations and open network ports.
Penetration testing will also require FIs to perform combination of black-box and grey-box testing.
Simulation of cyber-attacks tactics, techniques and procedures
Regular scenario based cyber exercises involving senior management, business functions, technical staff should be carried out to validate response and recovery plan.
These exercises should be in the form of an adversarial attack by a red team to test and validate the effectiveness of its cyber defense and response plan.
A comprehensive remediation process should follow after the exercise.
The revised guidelines set out MAS's higher expectations in the areas of technology risk governance and security controls in financial institutions.
Tan Yeow Seng, MAS Chief Cyber Security Officer
Implications and Next Steps
In preparation for compliance with the 2021 Guidelines, FIs will now need to take steps to ensure that:
Board and Senior Management should include members with adequate knowledge of technology and cyber risks, and all members are apprised of the expanded responsibilities.
Board should appoint a Chief Information officer and a Chief Information security office.
There is an assessment procedure for potential tech vendors and API access.
Monitoring, assessing, reporting of cyber threats are in line with the 2021 guidelines and that the relevant simulations and testing are adhered to routinely.
Over and above securing their own systems, FIs must now also manage the potential technology risks of their IT service providers as well.
These updated guidelines issued by MAS are effective immediately.
Contact us at email@example.com
This blog is provided for general information purposes only. In no circumstance(s), does the information provided in this blog will constitute legal or any other form of professional advice. Any individual who uses, shares or re-publish the information contained in this is solely responsible for the same. The information included in this blog may be changed without any notice and not guaranteed to be accurate, complete or up-to-date. Please do verify the information independently.