MAS issues updated Technology Risk Management Guidelines
On 18 January 2021, the Monetary Authority of Singapore ("MAS") issued updated Technology Risk Management Guidelines ("TRM Guidelines"), along with responses to industry feedback on its earlier consultation on proposed amendments. The updated TRM Guidelines took effect on their date of issuance (18 January).
- As previously, the TRM Guidelines apply broadly to all FIs regulated by the MAS.
- The MAS has clarified that the TRM Guidelines will not apply to FIs' overseas subsidiaries and branches. However, where these subsidiaries or branches are providing IT services to the Singapore entity, FIs should ensure that their TRM practices remain aligned with the TRM Guidelines.
We set out below a few key amendments to the TRM Guidelines:
1. Enhanced risk mitigation strategies for FIs
- FIs should establish robust processes to collect, process and analyse cyber-related information for relevance and potential impact to their business and IT environment.
- FIs should actively participate in cyber threat information-sharing arrangements with trusted parties to share and receive timely and actionable cyber threat information.
- FIs should stress test their cyber defences regularly by conducting cyber exercises (e.g. social engineering, table-top, cyber range exercises) to validate their response and recovery processes.
2. Expectations of FIs to oversee third party arrangements
- The TRM Guidelines will apply to third party services that are used by FIs but which may not constitute 'outsourcing arrangements', as defined in the Outsourcing Guidelines. For example, third party firms providing IT forensics services will be in scope (even where the FI is not dependent on the service on an ongoing basis).
- The FI should assess and manage its exposure to technology risks that may affect the confidentiality, integrity and availability of the IT systems and data at the third party before entering into a contractual agreement or partnership.
- On an ongoing basis, FIs should ensure that third parties employ high standards of care and diligence in protecting data confidentiality and integrity as well as ensuring system resilience.
- The MAS has stressed that the use of third party service providers should not result in a deterioration of controls and compromise of risk management on the part of the FI. FIs should ensure that their third party service providers are able to meet regulatory standards expected of them.
3. Additional guidance on the roles and responsibilities of the Board and Senior Management
- The MAS expects an FI's board of directors and senior management ("BSM") to play an integral part in the oversight and management of technology risk. BSM should cultivate a strong risk culture and ensure the establishment of a sound and robust technology risk management framework.
- BSM should include members with the knowledge to understand and manage technology risks, which include risks posed by cyber threats.
- In particular, BSM should ensure that a Chief Information Officer and Chief Information Security Officer (or the equivalent) with requisite experience and expertise are appointed and accountable for the management of their FI's technology and cyber risk.