Revised Technology Risk Management Guidelines
On 18 January 2021, the Monetary Authority of Singapore (MAS) released a revised Technology Risk Management Guidelines to address an environment of growing usage by financial institutions (FIs) of cloud technologies, application programming interfaces (APIs), and rapid software development methods (such as Agile) – some of which the MAS has also been promoting/enabling in the financial industry. The Technology Risk Management Guidelines are a set of technology risk management principles and best industry practices first published in 2013 and these latest revisions – first proposed in March 2019 in a Consultation Paper – reinforces the importance of incorporating security controls as part of FIs’ technology development and delivery lifecycle, as well as in the deployment of emerging technologies.
The recent spate of widely-reported cyber attacks on supply chains targeted multiple IT service providers through the exploitation of network management software from SolarWinds widely-used by IT service providers has affected a large number of firms globally including Fortune 500 companies and government agencies such as users of Microsoft Azure cloud service. The revised Technology Risk Management Guidelines addresses this by providing enhanced cyber risk mitigation strategies for FIs around the establishment of a robust and comprehensive process to analyse and share cyber threat intelligence within the financial ecosystem; and to conduct cyber exercises (in addition to the industry standard of vulnerability assessments and penetration testing) to allow FIs to stress test their cyber defences by simulating the attack tactics, techniques, and procedures used by real-world attackers.
The revised Technology Risk Management Guidelines also recognises the burgeoning dependence on third party providers by FIs and sets out the expectation for FIs to exercise stronger oversight of arrangements with third party service providers, to ensure system resilience as well as maintain data confidentiality and integrity. This is on top of the MAS Guidelines on Outsourcing as the revised Guidelines remind FIs that an IT service provider does not have to be considered an outsourcing arrangement to pose risk to the financial institution.
The MAS has focused its revised Technology Risk Management Guidelines around enhancing its guidance on the following areas:
Governance and Oversight by the Board of Directors and Senior Management
There should be directors and senior management with the relevant skills and knowledge of technology risks to provide the necessary oversight. The Board and senior management will need to ensure that a Chief Information Officer (or Head) and a Chief Information Security Officer (or Head), with the appropriate experience and expertise, are appointed and accountable for managing technology risks and cyber risks for the FIs.
Software Development and Management
The revised Technology Risk Management Guidelines provides guidance on software development and management, particularly as a response to the widespread in-house adoption of Agile development methods by financial institutions and DevOps practices to facilitate rapid software delivery and changes. The Technology Risk Management Guidelines reminds financial institutions to continue to apply secure software development best practices, such as secure coding and code review while using Agile development methods. It also emphasises the importance of DevSecOps management – the practice of automating and integrating IT operations, quality assurance and security practices in the software development process.
FIs have been investing in new and emerging technology such as APIs, smart electronic devices and virtualisation, to enhance the delivery and efficiency of its services to its customers. The revised Technology Risk Management Guidelines remind and provide guidance to FIs to employ a security-by-design approach to building security in every phase of its system development life cycle (SDLC) to minimise the cyber attack surface and manage risks from arising from such emergent technologies.
Recognising the increasing frequency and impact of cyber incidents in the recent years, and the importance of cyber resilience to sustaining trust and confidence in the financial industry, the revision introduces the concept of cyber resilience and the need to employ a defence-in-depth approach to strengthening cyber resilience. Apart from cyber threat intelligence, cyber security assessment and testing, and cyber incident management is recognised as an important component of a good cyber resilience programme.
To facilitate ease of reference, MAS has also cancelled the MAS circulars issued after July 2013 on vulnerability assessment and penetration testing, IT security risks posed by personal mobile devices, early detection of cyber intrusions and technology risk, and cyber security training for the FI’s board of director- and have incorporated these into the revised Guidelines.
Applicability of the guidelines should be adopted based on the nature, size and complexity of the FIs’ business.
How can Argus (now Waystone Compliance) Assist?
We, at Argus Global (now Waystone Compliance), are a team of consultants who specialize in regulatory compliance for financial institutions. We assist to do the following:
- Assist to update Risk Management policies and procedures to ensure adherence of the revised Technology Risk Management Guidelines
- Perform gap analysis on current technology risk management policies against revised Technology Risk Management Guidelines
- Assist to training to employees to educate on technology risk management measures to adopt
Please reach out to us for an initial discussion at at [email protected].
Follow us on LinkedIn for regular updates.