Monetary Authority of Singapore (MAS) Revises Technology Risk Management (TRM) Guidelines

Monetary Authority of Singapore (MAS) Revises Technology Risk Management (TRM) Guidelines

On 18 January 2021, the Monetary Authority of Singapore (MAS) issued the revised Technology Sisk Management (TRM) guidelines to keep pace with the massive digital transformation and the ever-growing threat in the cybersecurity landscape. 

There’s no denying the fact that the reliance on emerging technologies has brought significant benefits to the financial ecosystem However, it has also increased the exposure of financial institutions (FIs) to a wide range of cyber security risks and vulnerabilities.

With this, MAS has revised the TRM guidelines to emphasise the need for better cyber security and defence. 

Who Needs to Comply with MAS TRM Guidelines?

Approved CIS Trustee

Dealing in Capital Markets Products

Product Financing

Providing Custodial Services

Licensed Fund Management Company

Registered Fund Management Company 

Licensed Trust Company

Direct Insurer (Life)

Direct Insurer (General)

Direct Insurer (Composite)

Reinsurer (Life)

Reinsurer (General)

Reinsurer (Composite)

Captive Insurer

Lloyd’s Asia Scheme

Financial Holding Company (Insurance)

General Insurance Agents

Credit/Charge Card Issuer

Finance Company

Full Bank (Branch)

Full Bank (Locally Incorporated)

Merchant Bank (Branch)

Merchant Bank (Locally Incorporated)

Venture Capital Fund Management Company

Corporate Finance Advisory

REIT Management

Credit Rating Agency

Securities Crowdfunding

Wholesale Bank (Branch)

Wholesale Bank (Locally Incorporated)

Financial Holding Company

Markets and Exchanges

Clearing House

Trade Repository

Benchmark Administrator/Submitter

Central Securities Depository

Holding Company of Exchange or Clearing House

Designated Payment System Operator

Designated Payment System Settlement Institution

Credit and Charge Card Licensee

Major Payment Institution

Standard Payment Institution

Money-changing Licensee


Key Takeaway from the 2021 TRM Guidelines

Here are some of the key amendments to the 2021 TRM guidelines. 

  • Additional guidelines on the roles of the Board of Directors and Senior Management.

The Board of Directors and Senior Management should ensure the appointments of the Chief Information Officer, Chief Technology Officer or Head of IT, and a Chief Information Security Officer or Head of Information Security with requisite experience and expertise.

Compared to the 2013 guidelines which stated that only the Board of Directors and Senior Management must be involved in key IT decisions, the 2021 guidelines provided that the Board of Directors and Senior Management should also include members with relevant knowledge on managing technology risks. 

According to MAS, the intent of these changes is to encourage the FI’s Board of Directors and Senior Management to comprise members that are experienced and knowledgeable enough to oversee FI’s technology strategy, operations and risks. 

  • Management of all third-party service providers.

The 2021 guidelines recognise the risks associated with third-party services provisioned or delivered using IT as well as critical information being stored or processed electronically by a third-party provider. The FI’s operations and its clients may be affected if and when the third-party provider suffers from a system failure or a data breach.

In lieu of this, 2021 guidelines required FIs to assess and manage all technology risks before entering into a contractual agreement or partnership with a third-party provider. In addition, FIs should ensure that the third-party provider employs a high standard of care and diligence in terms of safeguarding data confidentiality and maintaining system resilience.

  • Software application development and management.

Acknowledging the existence of software bugs and vulnerabilities that often target an IT system with poor software practices, MAS has put emphasis on the need for cure coding, source code review and application security testing. 

  • Application programming interface development

The 2021 guidelines introduce a new requirement for FIs to develop a well-defined vetting process for assessing the suitability of third-party entities that wish to access their application programming interfaces (APIs) and the governing third-party API access. Among others, the vetting process should include the third-party’s nature of business, cyber security posture, industry reputation and track record.

  • Cyber security operations and assessments

Cyber Threat Intelligence and Information Sharing

The FIs are tasked to establish a process to collect, process and analyse cyber-related information. This would include cyber events, cyber threat intelligence and information on system vulnerabilities. In addition to this, the FIs are expected to procure cyber intelligence monitoring services and at the same time, share and receive cyber threat information from trusted partners. 

Cyber Event Monitoring and Detection

In order to continuously monitor and analyse cyber events, the FIs are advised to establish  a security operations centre or acquire managed security services. 

Cyber Incident Response and Management

The 2021 guidelines suggested that FIs should establish a cyber incident response and management plan to smoothly isolate and neutralise the effect of a cyber threat and safely resume affected services. The FIs should also introduce a process to investigate and identify the security or control deficiencies that led to such threats.

Cyber Security Assessments

To identify security vulnerabilities and ensure that risks that may possibly arise from these gaps are handled properly, the FIs should conduct regular vulnerability assessments (VA) and carry out penetration testing. 

When performing vulnerability assessment, the focus should include vulnerability discovery, identification of weak security configurations, open network ports and application vulnerabilities.

For penetration testing, a combination of blackbox and greybox testing will be required. 

Key Takeaway

While the revised TRM guidelines may look overwhelming at first glance, it can undoubtedly help strengthen Singapore’s financial ecosystem as it navigates the post-COVID-19 economy. 

Detect and remediate in real-time against cyber attacks with comprehensive Security-as-a-Service CyberSecurity solution.

Grants available for eligible Singapore SMEs.