News

MAS Revises the Technology Risk Management Guidelines

Jan 25 2021 | by OrionW

The Monetary Authority of Singapore (MAS) has issued revised Technology Risk Management Guidelines (Guidelines) to address emerging technology and cyber risks in a landscape of growing use of cloud technologies, application programming interfaces and rapid software development by financial institutions (FIs). 

Background to the Guidelines

The Guidelines set out technology risk management principles and best practices which FIs could adopt based on the nature, size and complexity of their business. The Guidelines apply to all FIs regulated by MAS and highlight the importance of integrating security controls into FIs’ operational and technological ecosystems. Although MAS positions the Guidelines as only providing general guidance that is supplementary to legislation, MAS considers FIs’ compliance with the spirit of the Guidelines in its supervision of FIs.

Board and Senior Management Roles and Responsibilities

The Guidelines set out the key roles and responsibilities of an FI’s board of directors and senior management in overseeing and managing technology risks, including:

  • the appointment of a Chief Information Officer and a Chief Information Security Officer to be responsible for managing technology and cyber risks;
  • the appointment of board members with the relevant knowledge for managing technology and cyber risks; and
  • oversight to ensure effective internal controls and to implement risk management practices to achieve security, reliability and resilience of the FI’s IT operating environment.   

Asset Management Practices

The Guidelines recommend the establishment of policies, standards and procedures for asset management.  Industry standards and best practices should be incorporated where appropriate to manage technology risks and safeguard information assets.  Such policies, standards and procedures should be regularly reviewed and updated. 

The Guidelines also recommend that FIs have accurate and comprehensive oversight of their IT operating environment and establish information asset management practices.   The practices should not be limited to information assets that are owned by the FI but should extend to third parties’ assets. 

Third Party Service Providers

Due to the growing reliance on third party service providers, MAS expects FIs to supervise third party service providers to ensure system resilience and preserve data confidentiality and integrity.

Recommended best practices include:

  • assessing and managing the FI’s exposure to technology risks affecting the confidentiality, integrity and availability of the third party’s IT systems and data before entering into a third party arrangement; and
  • ensuring the third party consistently employs a high standard of care and diligence in the safeguarding of data confidentiality, data integrity and system resilience.

Risk Mitigation Strategies

Risk mitigation strategies for FIs have been enhanced to establish sound and robust technology risk governance and oversight and maintain cyber resilience, including:

  • establishing a robust process for a timely cyber risk analysis and intelligence sharing within the financial ecosystem;
  • facilitating continuous monitoring and detection of cyber events and prompt responses to cyber incidents; and
  • conducting stress testing exercises to test an FI’s cyber defences against simulated real-world attack tactics.

Key Takeaway

The revision of the Guidelines indicates MAS’s increased expectations in relation to technology risk governance and security controls of FIs.  The extension of technology risk management to third party service providers offers clarity and reminds FIs to avoid neglecting the risks associated with such arrangements.  FIs should review their internal security policies and procedures to ensure compliance with the revised Guidelines.

For more information

OrionW regularly advises clients on financial technology matters.  For more information about the Technology Risk Guidelines, or if you have questions about this article, please contact us at fintech@orionw.com.

Disclaimer: This article is for general information only and does not constitute legal advice.