The Revised Technology Risk Management Guidelines of Singapore
After engaging with cyber security experts and using the feedback from a 2019 public consultation, the Monetary Authority of Singapore (MAS) has recently revised its Technology Risk Management Guidelines (“TRM Guidelines”). While there are some overlap between the revised 2021 Edition and the previous 2013 Edition, the TRM guidelines have been developed to keep pace with the current trends in technology deployment and development.
On January 28, 2021, MAS issued a new Technology Risk Management Guidelines which refreshed the 2013 Guidelines and heavily updated it. The new and updated guidelines apply to all Financial Institutions which include payment services licensees.
There are three (3) key categories in the seven (7) key amendments to the 2021 TRM Guidelines and these are: Additional guidance on the roles and responsibilities of the Board of Directors and Senior Management; Stringent assessments of third party vendors and entities that access the FI’s IT systems; and Introduction of monitoring, testing, reporting and sharing of cyber threats within the financial ecosystem. The key changes are summarized below.
7 Key Amendments of Revised Guidelines of Singapore
Additional guidance on the roles and responsibilities of the Board of Directors and Senior Management
- Expanded roles and responsibilities for the Board of Directors and Senior Management
This amendment provides that it must be ensured by the Board and Senior Management that a Chief Information Officer (or its equivalent) and a Chief Information Security Officer (or its equivalent), possessing the required experience and expertise, are appointed to be accountable for managing technology and cyber risks (3.1.3, 2021 Guidelines).
It is also imperative for the Board and Senior Management to include members that possess knowledge of cyber risk and technology (3.1.2, 2021 Guidelines). Furthemore, 2021 Guidelines also provides for an extended list of responsibilities of Board and Senior Management or technology risk management (3.1.7 & 3.1.8, 2021 Guidelines).
More stringent assessments of third party vendors and entities that access the FI’s IT systems
- Assessment of tech vendors
Under the revised guidelines, FIs are now required to establish standards and procedures for vendor evaluation that is pegged to the criticality of the project deliverables to the FI (5.3.1, 2021 Guidelines). This assessment comprises a detailed analysis of the vendor’s software development, security practices, and quality assurance (5.3.2 to 5.3.4, 2021 Guidelines).
- Assessment of third parties’ suitability in connecting to Application Programming Interface (APIs) and governing third party’s API access
Under the revised guidelines, FIs are also now required to develop a well-defined vetting process for assessing third party entities that wish to access their Application Programming Interface (“API”) and for governing the nature of the API access (6.4.2, 2021 Guidelines). This vetting process includes, amongst others, evaluating the third party’s nature of business, industry reputation, cyber security posture, and track record (6.4.2, 2021 Guidelines).
Introduction of monitoring, testing, reporting and sharing of cyber threats within the financial ecosystem
- Cyber Threat Monitoring and Information Sharing
Under the Revised Technology Risk Management Guidelines of Singapore, FIs are now required to establish a process of collecting, processing and analysing cyber related information (12.1.1, 2021 Guidelines), and this information should be buttressed by cyber intelligence monitoring services (12.1.2, 2021 Guidelines).
Furthermore, it is imperative for FIs to establish a security operations centre or acquire managed security services in order to facilitate the continuous monitoring and analysis of cyber events (12.2.1, 2021 Guidelines).
- Cyber Incident Response and Management
Under the Revised Technology Risk Management Guidelines of Singapore, FIs are required to establish a Cyber Incident Response and Management plan to isolate and neutralize a cyber threat and to securely resume affected services. With this, FIs need to establish a process to investigate and identify the security or control deficiencies and lay out the communication, coordination and response procedures to address such threats (12.3.1 & 12.3.2, 2021 Guidelines).
- Cyber Security Assessments
Under the Revised Technology Risk Management Guidelines of Singapore, it is imperative for FIs to assess their cyber security through vulnerability assessment and penetration testing. It dictates the minimal requirements of the vulnerability assessment which include the vulnerability discovery process, an identification of weak security configurations and open network ports and the extent of penetration testing to be carried out (13.1.2, 2021 Guidelines).
Furthermore, the Penetration Testing under the 2021 Guidelines will now require FIs to perform a combination of blackbox and greybox testing (13.2, 2021 Guidelines).
- Simulation of cyber attacks tactics, techniques and procedures
Under the Revised Technology Risk Management Guidelines of Singapore, it is now imperative for FIs to carry out regular scenario-based cyber exercises to validate their response and recovery plan. According to the provision, these exercises should involve the Senior Management, business functions, technical staff responsible for cyber threat detection, response and recovery and other relevant stakeholders (13.3.1 & 13.3.2, 2021 Guidelines). It also provides that these exercises should be in the form of an adversarial attack by a red team in order to test and validate the effectiveness of its cyber defence and response plan (13.4.1, 2021 Guidelines). Afterwards, it should be followed by a comprehensive remediation process(13.6.1, 2021 Guidelines).
What does this mean to Businesses in Singapore?
Monetary Authority of Singapore expects the Financial institutions and its businesses to comply with the Revised Technology Risk Management Guidelines of Singapore, particularly bearing in mind:
- The need to conduct a stock take of information assets of the FI , as well as the processes and controls that are in place to manage these information assets according to their security classification or criticality
- The need for a heightened awareness of certain cyber security risks
Whereas if there is failure to comply with these mandatory obligations, penalties will be imposed.