Seven Takeaways From MAS’ Technology Risk Management Guidelines

The amended guidelines represent a firm step towards further strengthening the defences of Singapore’s financial ecosystem, placing the industry in good stead for the post-Covid economic recovery. 

On 18 January 2021, the Monetary Authority of Singapore (“MAS”) issued the new Technology Risk Management Guidelines (“2021 Guidelines”), which heavily updated and refreshed the previous Technology Risk Management Guidelines in 2013 (“2013 Guidelines”). These guidelines apply to all Financial Institutions (“FIs”), which also includes payment services licensees.

There were three key categories of amendments. The first relates to additional guidance on the roles and responsibilities of the Board of Directors and Senior Management. The second relates to more stringent assessments of third party vendors and entities that access the FI’s IT systems. The third, and most extensive, relates to the introduction of monitoring, testing, reporting and sharing of cyber threats within the financial ecosystem.

This update from MAS, which also incorporates feedback from an earlier public consultation conducted by MAS in 2019, is timely in light of the increased data sharing by FIs and the increase in cyber-attacks on third party technology vendors. The key changes are summarised below.

Also Read: 15 Best Tools For Your Windows 10 Privacy Settings Setup

7 Key Amendments within the 2021 Guidelines

Additional guidance on the roles and responsibilities of the Board of Directors and Senior Management

1) Expanded roles and responsibilities for the Board of Directors and Senior Management

The 2021 Guidelines introduces the guidance that the Board and Senior Management should ensure that a Chief Information Officer (or its equivalent) and a Chief Information Security Officer (or its equivalent), with the requisite experience and expertise, are appointed to be accountable for managing technology and cyber risks (3.1.3, 2021 Guidelines). In comparison, the 2013 Guidelines only required the Board and Senior Management to have general oversight of the technology risks of the FI (3.0.2, 2013 Guidelines).

The 2021 Guidelines also provides that the Board and Senior Management should include members with knowledge of technology and cyber risks (3.1.2, 2021 Guidelines). In comparison, the 2013 Guidelines only provided for the Board and Senior Management to be involved in key IT decisions (3.1.1, 2013 Guidelines).

Finally, the 2021 Guidelines also includes an extended list of Board and Senior Management responsibilities for technology risk management (3.1.7 & 3.1.8, 2021 Guidelines). This list is a marked expansion of the original list of responsibilities of the Board and Senior Management within the 2013 Guidelines (3.1, 2013 Guidelines).

MAS has clarified that the intent of these changes is for the FI’s Board and Senior Management to comprise members who are able to competently exercise their oversight of the FI’s technology strategy, operations and risks (3.4, Response to Consultation Paper for TRM Guidelines 2021).

More stringent assessments of third party vendors and entities that access the FI’s IT systems

2) Assessment of tech vendors

The 2021 Guidelines introduces a requirement for the FI to establish standards and procedures for vendor evaluation that is pegged to the criticality of the project deliverables to the FI (5.3.1, 2021 Guidelines). This assessment includes, amongst others, a detailed analysis of the vendor’s software development, quality assurance and security practices (5.3.2 to 5.3.4, 2021 Guidelines). In comparison, the 2013 Guidelines only required FIs to be careful in their selection of vendors and contractors and to implement a screening process when engaging them (3.3.1, 2013 Guidelines).

While these additions may seem onerous, MAS has clarified that FIs may adopt a risk-based approach when assessing the robustness of their software vendor’s security and quality assurance practices (5.12, Response to Consultation Paper for TRM Guidelines 2021). Further, FIs may also obtain an undertaking from the software vendor on the quality of the software to gain assurance that the third party software is secure (5.14, Response to Consultation Paper for TRM Guidelines 2021).

3) Assessment of third parties’ suitability in connecting to Application Programming Interface (APIs) and governing third party’s API access

The 2021 Guidelines introduces a requirement for FIs to develop a well-defined vetting process for assessing third party entities that wish to access their Application Programming Interface (“API”) and for governing the nature of the API access (6.4.2, 2021 Guidelines). The vetting process includes, amongst others, evaluating the third party’s nature of business, cyber security posture, industry reputation and track record (6.4.2, 2021 Guidelines). FIs should consider a list of further requirements as detailed in sections 6.4.1 to 6.4.8 of the 2021 Guidelines.

These developments are new as the 2013 Guidelines did not include any provisions that governed API access.

With regards to the scope of the guidelines on APIs, MAS has indicated the key aspects are (1) using strong encryption to securely transmit sensitive data, (2) building capabilities to monitor the usage of APIs and (3) detecting suspicious activities and revoking any access in the event of a security breach (6.25, Response to Consultation Paper for TRM Guidelines 2021). MAS has also recommended that FIs can look to the MAS-ABS Financial World: API Conference 2016 E-book and the ABS-MAS Financial World: Finance-as-a-Service API Playbook as references for best practices (6.26, Response to Consultation Paper for TRM Guidelines 2021).

Introduction of monitoring, testing, reporting and sharing of cyber threats within the financial ecosystem

4) Cyber Threat Monitoring and Information Sharing

The 2021 Guidelines introduces the guidance that FIs should establish a process of collecting, processing and analysing cyber related information (12.1.1, 2021 Guidelines). This information should be buttressed by cyber intelligence monitoring services, procured by the FI (12.1.2, 2021 Guidelines). This information should then be shared with trusted parties to create a more robust financial ecosystem (12.1.2, 2021 Guidelines).

Further, the 2021 Guidelines provides that FIs should establish a security operations centre or acquire managed security services in order to facilitate the continuous monitoring and analysis of cyber events (12.2.1, 2021 Guidelines). In comparison, the 2013 Guideline only provides general suggestions for FIs to implement security solutions to adequately address and contain threats to its IT environment (9.0.1 & 9.0.2, 2013 Guidelines)

MAS has clarified that it does not require FIs to subscribe to any specific cyber threat intelligence monitoring and sharing services (12.13, Response to Consultation Paper for TRM Guidelines 2021). Rather, the intent is for the FI to participate in cyber threat information sharing arrangements with trusted parties where appropriate (12.9 &12.10, Response to Consultation Paper for TRM Guidelines 2021).

5) Cyber Incident Response and Management

The 2021 Guidelines provides that FIs should establish a Cyber Incident Response and Management plan to isolate and neutralize a cyber threat and to securely resume affected services. This introduces a need for FIs to establish a process to investigate and identify the security or control deficiencies and lay out the communication, coordination and response procedures to address such threats (12.3.1 & 12.3.2, 2021 Guidelines). In comparison, the 2013 Guidelines only provided for a general incident management plan for a disruption to the standard delivery of IT services (7.3, 2013 Guidelines). This new and targeted addition by MAS reflects the importance that MAS places on managing responses to cyber threats.

MAS has indicated that practically, the Cyber Incident Response and Management plan can be part of the FI’s larger incident management plan (12.35, Response to Consultation Paper for TRM Guidelines 2021).

6) Cyber Security Assessments

The 2021 Guidelines provides that FIs assess their cyber security through vulnerability assessment and penetration testing. The 2021 Guidelines dictates the minimal requirements of the vulnerability assessment which include the vulnerability discovery process, an identification of weak security configurations and open network ports and the extent of penetration testing to be carried out (13.1.2, 2021 Guidelines). Penetration testing under the 2021 Guidelines will also require FIs to perform a combination of blackbox and greybox testing (13.2, 2021 Guidelines). This represents a marked expansion of the original scope of vulnerability assessment and penetration testing as laid out in the 2013 Guidelines (9.4, 2013 Guidelines).

MAS has indicated that the risk assessment of an FI’s environment, especially the cyber security assessment, should form an integral part of the FI’s efforts in mitigating security threats and systems’ vulnerabilities (13.5 and 13.6, Response to Consultation Paper for TRM Guidelines 2021).

7) Simulation of cyber attacks tactics, techniques and procedures

The 2021 Guidelines provides that FIs should carry out regular scenario-based cyber exercises to validate their response and recovery plan. These exercises should involve the Senior Management, business functions, technical staff responsible for cyber threat detection, response and recovery and other relevant stakeholders (13.3.1 & 13.3.2, 2021 Guidelines). The 2021 Guidelines detail that the exercises should be in the form of an adversarial attack by a red team in order to test and validate the effectiveness of its cyber defence and response plan (13.4.1, 2021 Guidelines). A comprehensive remediation process should follow after the exercise (13.6.1, 2021 Guidelines). In comparison, the 2013 Guidelines only provided a general comment that simulations of actual attacks could be carried out as part of a penetration test (9.4.4, 2013 Guidelines).

MAS has clarified that the intent of these simulations is to obtain an accurate evaluation of the robustness of the FI’s cyber defences to ensure adequate protection (13.17, Response to Consultation Paper for TRM Guidelines 2021).

Also Read: How Formidable is Singapore Cybersecurity Masterplan 2020?

Implications and Next Steps

The issuance of the 2021 Guidelines comports with MAS’ emphasis on cyber security, in light of the recently publicized Finastra and SolarWinds cyber-attacks.

In preparation for compliance with the 2021 Guidelines, FIs will now need to take steps to ensure that:

• the Board and Senior Management are apprised of the expanded responsibilities that have been ascribed to them;
• there is an assessment procedure for potential tech vendors and API access;
• the monitoring, assessing, reporting of cyber threats are in line with the 2021 guidelines and that the relevant simulations and testing are adhered to routinely.

Whilst these new guidelines may appear taxing at first blush, they represent a firm step in the right direction of strengthening the defenses of Singapore’s financial ecosystem. This will undoubtedly place the industry in good stead for the post-Covid economic recovery.