6 Key Takeaways From MAS’ New Technology Risk Management Guidelines

6 Key Takeaways From MAS’ New Technology Risk Management Guidelines

by March 24, 2021

With the rising numbers and scale of cyberattacks, the Monetary Authority of Singapore (MAS) revised its technology risk management (TRM) guidelines on January 18,2021.

The TRM guidelines apply to all financial institutions (FI) that MAS regulates, ranging from large ones like banks, insurers and exchanges to small ones like venture capital managers and payments services firms.

The TRM guidelines address increased reliance on emerging technologies like cloud computing, application programming interfaces (APIs) and rapid software development and the fast-changing cyber threat landscape.

We view the 2021 version as a “best practice framework” for FIs outlining governance practices and internal controls to pre-empt and address current risks that adopt most of the prior 2013 version as a base.

Beyond addressing new technologies deployed today, the 2021 guidelines significantly emphasize the need for cyber security and defence. To illustrate, in the 2013 guidelines, we found that the word “cyber” appeared four times, always in the context of “cyberattack.”

Reflecting how much the concept of cyber risk has developed in significance and sophistication over eight years, in the 2021 version, “cyber” appears 74 times and is used to express a host of phenomena like “risk,” “threat,” “resilience,” “security,” “criminals,” “incidents,” “events,” “intelligence,” “exercises” and “range.”

Here are some of our key takeaways from the 2021 version of the TRM guidelines:

1. More focus on the board of directors and senior management being able to understand and manage technology risk, including cyber risk

Both the 2013 and 2021 guidelines require the board of directors and senior management (BSM) to ensure that a TRM framework is established and maintained and oversee the same.

The 2021 guidelines add that the BSM should ensure the appointments of a Chief Information Officer (or its equivalent) and a Chief Information Security Officer (or its equivalent) with requisite experience and expertise.

The MAS does allow for modification of this requirement in small firms with a limited headcount. However, the fact that the 2021 guidelines also state that the board should be trained on technology risk and TRM practices clearly shows that MAS would like to see BSM keep up with rapid developments in technology risk.

2. Extending TRM to all third parties, not just outsourced service providers

While the 2013 version considered third-party IT risk from outsourcing, the 2021 version recognizes that an FI’s use of services of any third party delivered using IT or involving a third party storing or electronically processing confidential or sensitive customer information poses risk if the third party has a system failure or security breach.

The 2021 version thus asks FIs to assess and manage all third-party IT risks before entering into a contractual agreement or partnership and ensures that the third party employs a high standard of care and diligence concerning data confidentiality and system resilience.

3. New section on software application development and management

Acknowledging that FIs are increasingly developing in-house software, the 2021 version has a section outlining standards that FIs should adopt on secure coding, source code review and application security testing.

The section also addresses an FI’s use of third-party and open-source software codes and the development and provision of application programming interfaces (APIs).

4. Enhanced data and infrastructure security in light of new technologies

While the 2013 version already set out measures to guard against cyberattacks, the 2021 revision has enhancements that address prevailing phenomena like Bring Your Own Device (BYOD), virtualization and the Internet of Things.

5. New section on cyber security operations

The 2021 guidelines ask FIs to collect and process information on cyber events, threat intelligence and system vulnerabilities and assess the potential impact to the FI’s business and IT environment.

FIs should also actively exchange timely and actionable cyber threat information with trusted parties while being alive to relevant misinformation.

FIs should also establish a security operations center or acquire managed security services to monitor for attempted or actual cyberattacks and establish a cyber incident response and management plan to resolve cyber threats and resume affected services.

6. Added measures to assess the firm’s cyber security

The 2013 version already prescribed vulnerability assessment and penetration testing. The 2021 version adds that FIs should carry out regular scenario-based exercises such as social engineering, tabletop or cyber range exercises to check the FI’s response, recovery and communication plans against cyber threats.

The FIs should also perform an adversarial attack simulation exercise. This provides a more realistic picture of an FI’s capability to prevent, detect and respond to real adversaries by simulating the tactics, techniques and procedures of real-world attackers to target people, processes and technology underpinning the FI’s critical business functions or services.

The 2021 guidelines also suggest what remediation should be established to track and resolve issues identified from cyber security assessments or exercises.

Appropriately implemented, the revised guidelines will bolster the preparedness of Singapore’s financial ecosystem and place firms on firmer footing as they navigate a post-COVID-19 climate.