Technology Risk Management Guidelines – Key Requirements

Who Does It Apply To

• Applies to all financial institutions that MAS regulates, ranging from large banks to venture capital firms and payment services firms
• Not all mandatory: use a risk-based approach

Expectations for Financial Institutions

• Financial institutions should conduct gap analysis to determine non-compliance
• Any non-compliance as a result of implementation difficulties should be documented and explained with mitigating controls identified
• Financial institutions’ compliance with guidelines will be assessed by external auditors or MAS

Expectations for Service Providers

• While MAS does not expect service providers to comply with the guidelines, any regulated client may expect service providers to have similar or identical requirements as per the guidelines
• At a minimum, service providers need to have secure and resilient systems

Focus on Board of Directors and Senior Management

• Ensure technology risk management framework is established
• Appoint Chief Information Officer (or its equivalent)
• Appoint Chief Security Officer (or its equivalent)
• Directors and senior managers be trained on technology risks and practices
• Manage information assets

Technology Risk Management Applicability

• Risk applies to any third party delivered using IT, third party storing or electronically processing confidential or sensitive customer information
• Manage third party IT risks prior to engagement
• Ensure third party applies high standard care and diligence concerning data confidentiality and system resilience

Inhouse Software Requirements

• Adopt secure coding, source code review and application security testing if in-house software developed
• Consider third party service provider IT risks and development and provision of services

Enhanced Data and Infrastructure Security

• Focus on non-traditional areas such as Internet of Things (loT), Shadow IT, and Bring Your Own Device (BYOD)

Cyber Security Operations

• Collect and process information on cyber events, threat intelligence and system vulnerabilities
• Assess potential impact to the financial institutions’ business and IT environment
• Exchange timely and actionable cyber threat information with other parties
• Establish cyber security operations centre or acquire managed security services to monitor cyber threats
• Establish cyber incident response and management plan to resolve cyber threats

Assess Cyber Security

• Carry out scenario-based exercises such as social engineering or cyber range exercises to check speed of response and readiness
• Perform adversarial attack simulation exercises
• Set up remediation to track and resolve issues identified from cyber exercises

How Can Argus (Now Waystone Compliance) Help

Argus (now Waystone Compliance) is able to assist in set up of the fund as well as the fund manager in the following manner:

• Perform gap analysis against current Technology Risk Management Guidelines and provide recommendations and improvement.
• Assist to review third party service providers and provide assessment on whether they are able to meet the Technology Risk Management Guidelines requirements.
• Draft/review Technology Risk Management Policy.
• Provide periodic reviews on technology risk management and provide assessment report.

If you intend to know more, have any queries or need further information on any matters relating to the above mentioned, feel free to reach out to us at [email protected].