On 18 January 2021, the Monetary Authority of Singapore (MAS) issued the revised Technology Sisk Management (TRM) guidelines to keep pace with the massive digital transformation and the ever-growing threat in the cybersecurity landscape.
There’s no denying the fact that the reliance on emerging technologies has brought significant benefits to the financial ecosystem However, it has also increased the exposure of financial institutions (FIs) to a wide range of cyber security risks and vulnerabilities.
With this, MAS has revised the TRM guidelines to emphasise the need for better cyber security and defence.
Who Needs to Comply with MAS TRM Guidelines?
Approved CIS Trustee Dealing in Capital Markets Products Product Financing Providing Custodial Services Licensed Fund Management Company Registered Fund Management Company Licensed Trust Company Direct Insurer (Life) Direct Insurer (General) Direct Insurer (Composite) Reinsurer (Life) Reinsurer (General) Reinsurer (Composite) Captive Insurer Lloyd’s Asia Scheme Financial Holding Company (Insurance) General Insurance Agents Credit/Charge Card Issuer Finance Company Full Bank (Branch) Full Bank (Locally Incorporated) Merchant Bank (Branch) Merchant Bank (Locally Incorporated) | Venture Capital Fund Management Company Corporate Finance Advisory REIT Management Credit Rating Agency Securities Crowdfunding Wholesale Bank (Branch) Wholesale Bank (Locally Incorporated) Financial Holding Company Markets and Exchanges Clearing House Trade Repository Benchmark Administrator/Submitter Central Securities Depository Holding Company of Exchange or Clearing House Designated Payment System Operator Designated Payment System Settlement Institution Credit and Charge Card Licensee Major Payment Institution Standard Payment Institution Money-changing Licensee |
Key Takeaway from the 2021 TRM Guidelines
Here are some of the key amendments to the 2021 TRM guidelines.
Additional guidelines on the roles of the Board of Directors and Senior Management.
The Board of Directors and Senior Management should ensure the appointments of the Chief Information Officer, Chief Technology Officer or Head of IT, and a Chief Information Security Officer or Head of Information Security with requisite experience and expertise.
Compared to the 2013 guidelines which stated that only the Board of Directors and Senior Management must be involved in key IT decisions, the 2021 guidelines provided that the Board of Directors and Senior Management should also include members with relevant knowledge on managing technology risks.
According to MAS, the intent of these changes is to encourage the FI’s Board of Directors and Senior Management to comprise members that are experienced and knowledgeable enough to oversee FI’s technology strategy, operations and risks.
Management of all third-party service providers.
The 2021 guidelines recognise the risks associated with third-party services provisioned or delivered using IT as well as critical information being stored or processed electronically by a third-party provider. The FI’s operations and its clients may be affected if and when the third-party provider suffers from a system failure or a data breach.
In lieu of this, 2021 guidelines required FIs to assess and manage all technology risks before entering into a contractual agreement or partnership with a third-party provider. In addition, FIs should ensure that the third-party provider employs a high standard of care and diligence in terms of safeguarding data confidentiality and maintaining system resilience.
Software application development and management.
Acknowledging the existence of software bugs and vulnerabilities that often target an IT system with poor software practices, MAS has put emphasis on the need for cure coding, source code review and application security testing.
Application programming interface development
The 2021 guidelines introduce a new requirement for FIs to develop a well-defined vetting process for assessing the suitability of third-party entities that wish to access their application programming interfaces (APIs) and the governing third-party API access. Among others, the vetting process should include the third-party’s nature of business, cyber security posture, industry reputation and track record.
Cyber security operations and assessments
Cyber Threat Intelligence and Information Sharing
The FIs are tasked to establish a process to collect, process and analyse cyber-related information. This would include cyber events, cyber threat intelligence and information on system vulnerabilities. In addition to this, the FIs are expected to procure cyber intelligence monitoring services and at the same time, share and receive cyber threat information from trusted partners.
Cyber Event Monitoring and Detection
In order to continuously monitor and analyse cyber events, the FIs are advised to establish a security operations centre or acquire managed security services.
Cyber Incident Response and Management
The 2021 guidelines suggested that FIs should establish a cyber incident response and management plan to smoothly isolate and neutralise the effect of a cyber threat and safely resume affected services. The FIs should also introduce a process to investigate and identify the security or control deficiencies that led to such threats.
Cyber Security Assessments
To identify security vulnerabilities and ensure that risks that may possibly arise from these gaps are handled properly, the FIs should conduct regular vulnerability assessments (VA) and carry out penetration testing.
When performing vulnerability assessment, the focus should include vulnerability discovery, identification of weak security configurations, open network ports and application vulnerabilities.
For penetration testing, a combination of blackbox and greybox testing will be required.
Key Takeaway
While the revised TRM guidelines may look overwhelming at first glance, it can undoubtedly help strengthen Singapore’s financial ecosystem as it navigates the post-COVID-19 economy.
Detect and remediate in real-time against cyber attacks with comprehensive Security-as-a-Service CyberSecurity solution.
Grants available for eligible Singapore SMEs.