Revised Technology Risk Management Guidelines

      On 18 January 2021, the Monetary Authority of Singapore (MAS) released a revised Technology Risk Management Guidelines to address an environment of growing usage by financial institutions (FIs) of cloud technologies, application programming interfaces (APIs), and rapid software development methods (such as Agile) – some of which the MAS has also been promoting/enabling in the financial industry. The Technology Risk Management Guidelines are a set of technology risk management principles and best industry practices first published in 2013 and these latest revisions – first proposed in March 2019 in a Consultation Paper – reinforces the importance of incorporating security controls as part of FIs’ technology development and delivery lifecycle, as well as in the deployment of emerging technologies.

      The recent spate of widely-reported cyber attacks on supply chains targeted multiple IT service providers through the exploitation of network management software from SolarWinds widely-used by IT service providers has affected a large number of firms globally including Fortune 500 companies and government agencies such as users of Microsoft Azure cloud service. The revised Technology Risk Management Guidelines addresses this by providing enhanced cyber risk mitigation strategies for FIs around the establishment of a robust and comprehensive process to analyse and share cyber threat intelligence within the financial ecosystem; and to conduct cyber exercises (in addition to the industry standard of vulnerability assessments and penetration testing) to allow FIs to stress test their cyber defences by simulating the attack tactics, techniques, and procedures used by real-world attackers.

      The revised Technology Risk Management Guidelines also recognises the burgeoning dependence on third party providers by FIs and sets out the expectation for FIs to exercise stronger oversight of arrangements with third party service providers, to ensure system resilience as well as maintain data confidentiality and integrity. This is on top of the MAS Guidelines on Outsourcing as the revised Guidelines remind FIs that an IT service provider does not have to be considered an outsourcing arrangement to pose risk to the financial institution.

      The MAS has focused its revised Technology Risk Management Guidelines around enhancing its guidance on the following areas:

      Governance and Oversight by the Board of Directors and Senior Management

      There should be directors and senior management with the relevant skills and knowledge of technology risks to provide the necessary oversight. The Board and senior management will need to ensure that a Chief Information Officer (or Head) and a Chief Information Security Officer (or Head), with the appropriate experience and expertise, are appointed and accountable for managing technology risks and cyber risks for the FIs.

      Software Development and Management

      The revised Technology Risk Management Guidelines provides guidance on software development and management, particularly as a response to the widespread in-house adoption of Agile development methods by financial institutions and DevOps practices to facilitate rapid software delivery and changes. The Technology Risk Management Guidelines reminds financial institutions to continue to apply secure software development best practices, such as secure coding and code review while using Agile development methods. It also emphasises the importance of DevSecOps management – the practice of automating and integrating IT operations, quality assurance and security practices in the software development process.

      Emerging Technologies

      FIs have been investing in new and emerging technology such as APIs, smart electronic devices and virtualisation, to enhance the delivery and efficiency of its services to its customers. The revised Technology Risk Management Guidelines remind and provide guidance to FIs to employ a security-by-design approach to building security in every phase of its system development life cycle (SDLC) to minimise the cyber attack surface and manage risks from arising from such emergent technologies.

      Cyber Resilience

      Recognising the increasing frequency and impact of cyber incidents in the recent years, and the importance of cyber resilience to sustaining trust and confidence in the financial industry, the revision introduces the concept of cyber resilience and the need to employ a defence-in-depth approach to strengthening cyber resilience. Apart from cyber threat intelligence, cyber security assessment and testing, and cyber incident management is recognised as an important component of a good cyber resilience programme.

      To facilitate ease of reference, MAS has also cancelled the MAS circulars issued after July 2013 on vulnerability assessment and penetration testing, IT security risks posed by personal mobile devices, early detection of cyber intrusions and technology risk, and cyber security training for the FI’s board of director- and have incorporated these into the revised Guidelines.

      Applicability of the guidelines should be adopted based on the nature, size and complexity of the FIs’ business.

      How can Argus (now Waystone Compliance) Assist?

      We, at Argus Global (now Waystone Compliance), are a team of consultants who specialize in regulatory compliance for financial institutions. We assist to do the following:

      • Assist to update Risk Management policies and procedures to ensure adherence of the revised Technology Risk Management Guidelines
      • Perform gap analysis on current technology risk management policies against revised Technology Risk Management Guidelines
      • Assist to training to employees to educate on technology risk management measures to adopt

      Please reach out to us for an initial discussion at at [email protected].

      Follow us on LinkedIn for regular updates.

      Previous post Next post

      More like this

      Strengthening AML/CFT Controls of Digital Payment Token (DPT) Providers

      The Monetary Authority of Singapore (MAS) recently released an infographic setting out recent international developments and MAS’ supervisory expectations on…
      Read more

      Peer to Peer Lending/ Crowdfunding Requirements in Singapore

      Crowdfunding generally refers to capital-raising approach that seeks to raise funds from a large number of individuals. Typically, funds are…
      Read more

      MAS to enhance enforcement actions against market abuse and financial misconduct

      In its Enforcement Report published today, the Monetary Authority of Singapore (MAS) has detailed several actions against financial institutions (FIs)…
      Read more

      Financial Advisors – Balanced Scorecard Requirements

      Monetary Authority of Singapore (“MAS”) issued Notice FAA-N02 Requirements for the Remuneration Framework for Representatives and Supervisors (“Balanced Scorecard Framework”)…
      Read more

      Licensing and Compliance Requirements for Precious Metal Dealers

      In late 2019, Ministry of Law (“Minlaw”) reminded all precious metal dealers to register their business with the Registrar of…
      Read more

      Guidelines on Individual Accountability and Conduct

      On 10 September 2020, the MAS released the Guidelines on Individual Accountability and Conduct (“Individual Accountability Guidelines”) which lists down…
      Read more