The Monetary Authority of Singapore (MAS) has issued a revised Technology Risk Management guidelines in light of the recent spate of cyber attacks dominating the headlines.
The revised guidelines focuses on addressing technology and cyber risks in financial institutions (FIs) deploying cloud technologies, application programming interfaces, and rapid software development.
The guidelines reinforce the importance of incorporating security controls as part of FIs’ technology development and delivery lifecycle, as well as in the deployment of emerging technologies.
The revised guidelines set out enhanced risk mitigation strategies for FIs which includes establishing a robust process for the timely analysis and sharing of cyber threat intelligence within the financial ecosystem.
It also outlines the importance of conducting cyber exercises to allow FIs to stress test their cyber defenses by simulating the attack tactics, techniques, and procedures used by real-world attackers.
In light of FIs’ growing reliance on third party service providers, the revised guidelines set out the expectation for FIs to exercise strong oversight of arrangements with third party service providers, to ensure system resilience as well as maintain data confidentiality and integrity.
The guidelines also provides additional guidance on the roles and responsibilities of the board of directors and senior management to ensure that a Chief Information Officer and a Chief Information Security Officer, with the requisite experience and expertise, are appointed and accountable for managing technology and cyber risks;
The board should also include members with the relevant knowledge to provide effective oversight of technology and cyber risks.
The revised guidelines have incorporated feedback received from the public consultation conducted in 2019, MAS’ engagement with the industry, and MAS’ Cyber Security Advisory Panel (CSAP).
Mr Tan Yeow Seng, Chief Cyber Security Officer, MAS, said,
“Technology now underpins most aspects of financial services. Not only are financial institutions adopting new technologies, they are also increasingly reliant on third party service providers.
The revised guidelines set out MAS’ higher expectations in the areas of technology risk governance and security controls in financial institutions.”