Technology Risk Management Guidelines – Key Requirements

      Who Does It Apply To

      • Applies to all financial institutions that MAS regulates, ranging from large banks to venture capital firms and payment services firms
      • Not all mandatory: use a risk-based approach

      Expectations for Financial Institutions

      • Financial institutions should conduct gap analysis to determine non-compliance
      • Any non-compliance as a result of implementation difficulties should be documented and explained with mitigating controls identified
      • Financial institutions’ compliance with guidelines will be assessed by external auditors or MAS

      Expectations for Service Providers

      • While MAS does not expect service providers to comply with the guidelines, any regulated client may expect service providers to have similar or identical requirements as per the guidelines
      • At a minimum, service providers need to have secure and resilient systems

      Focus on Board of Directors and Senior Management

      • Ensure technology risk management framework is established
      • Appoint Chief Information Officer (or its equivalent)
      • Appoint Chief Security Officer (or its equivalent)
      • Directors and senior managers be trained on technology risks and practices
      • Manage information assets

      Technology Risk Management Applicability

      • Risk applies to any third party delivered using IT, third party storing or electronically processing confidential or sensitive customer information
      • Manage third party IT risks prior to engagement
      • Ensure third party applies high standard care and diligence concerning data confidentiality and system resilience

      Inhouse Software Requirements

      • Adopt secure coding, source code review and application security testing if in-house software developed
      • Consider third party service provider IT risks and development and provision of services

      Enhanced Data and Infrastructure Security

      • Focus on non-traditional areas such as Internet of Things (loT), Shadow IT, and Bring Your Own Device (BYOD)

      Cyber Security Operations

      • Collect and process information on cyber events, threat intelligence and system vulnerabilities
      • Assess potential impact to the financial institutions’ business and IT environment
      • Exchange timely and actionable cyber threat information with other parties
      • Establish cyber security operations centre or acquire managed security services to monitor cyber threats
      • Establish cyber incident response and management plan to resolve cyber threats

      Assess Cyber Security

      • Carry out scenario-based exercises such as social engineering or cyber range exercises to check speed of response and readiness
      • Perform adversarial attack simulation exercises
      • Set up remediation to track and resolve issues identified from cyber exercises

      How Can Argus (Now Waystone Compliance) Help

      Argus (now Waystone Compliance) is able to assist in set up of the fund as well as the fund manager in the following manner:

      • Perform gap analysis against current Technology Risk Management Guidelines and provide recommendations and improvement.
      • Assist to review third party service providers and provide assessment on whether they are able to meet the Technology Risk Management Guidelines requirements.
      • Draft/review Technology Risk Management Policy.
      • Provide periodic reviews on technology risk management and provide assessment report.

      If you intend to know more, have any queries or need further information on any matters relating to the above mentioned, feel free to reach out to us at [email protected].

      Previous post Next post

      More like this

      Training Requirements For Financial Institutions

      Argus Global (now Waystone Compliance) is conducting a training on AML/CFT on 28 Nov 2019. This training will be for a…
      Read more

      Increase in the budget of Ongoing Compliance

      The Cost of Compliance: Time & Money According to survey data released in Q1 2017 from the National Small Business…
      Read more

      Non-Face-to-Face Identity Verification

      The Monetary Authority of Singapore (“MAS”) on 10 November 2020, introduced a new consultation paper on the types of information…
      Read more

      Introduction to Fund Setup in Singapore

      A fund is a pool of money set aside for a specific purpose. These pools of money are often invested…
      Read more

      Fund Management Company, Venture Capital – Singapore Series

      Venture Capital Fund Management (VCFM) A Fund Management Company is a business in which licensed or registered managers manage the…
      Read more

      Singapore Funds Industry Group (SFIG) to Strengthen Singapore’s Fund Management Ecosystem

      New Singapore Funds Industry Group to Strengthen Singapore’s Fund Management Ecosystem The Monetary Authority of Singapore (MAS) announced on 27…
      Read more