The Monetary Authority of Singapore (MAS) has issued revised Technology Risk Management Guidelines (Guidelines) to address emerging technology and cyber risks in a landscape of growing use of cloud technologies, application programming interfaces and rapid software development by financial institutions (FIs).
The Guidelines set out technology risk management principles and best practices which FIs could adopt based on the nature, size and complexity of their business. The Guidelines apply to all FIs regulated by MAS and highlight the importance of integrating security controls into FIs’ operational and technological ecosystems. Although MAS positions the Guidelines as only providing general guidance that is supplementary to legislation, MAS considers FIs’ compliance with the spirit of the Guidelines in its supervision of FIs.
The Guidelines set out the key roles and responsibilities of an FI’s board of directors and senior management in overseeing and managing technology risks, including:
The Guidelines recommend the establishment of policies, standards and procedures for asset management. Industry standards and best practices should be incorporated where appropriate to manage technology risks and safeguard information assets. Such policies, standards and procedures should be regularly reviewed and updated.
The Guidelines also recommend that FIs have accurate and comprehensive oversight of their IT operating environment and establish information asset management practices. The practices should not be limited to information assets that are owned by the FI but should extend to third parties’ assets.
Due to the growing reliance on third party service providers, MAS expects FIs to supervise third party service providers to ensure system resilience and preserve data confidentiality and integrity.
Recommended best practices include:
Risk mitigation strategies for FIs have been enhanced to establish sound and robust technology risk governance and oversight and maintain cyber resilience, including:
The revision of the Guidelines indicates MAS’s increased expectations in relation to technology risk governance and security controls of FIs. The extension of technology risk management to third party service providers offers clarity and reminds FIs to avoid neglecting the risks associated with such arrangements. FIs should review their internal security policies and procedures to ensure compliance with the revised Guidelines.
OrionW regularly advises clients on financial technology matters. For more information about the Technology Risk Guidelines, or if you have questions about this article, please contact us at firstname.lastname@example.org.
Disclaimer: This article is for general information only and does not constitute legal advice.