MAS TRM Guidelines

In the wake of growing cyber-attacks in recent years which targeted multiple IT service providers, the Monetary Authority of Singapore on Monday 18th January issued revised Technology Risk Management guidelines.

This comes amid aggravating cybersecurity issues and a growing threat landscape in the Industry. The revised guideline applies to all banks, payment services firms’ brokerage, and insurance firms. The guidelines were revised to address technology and cyber risks in the industry.

As per MAS, the updated guidelines will help tackle the challenges and risks of the growing use of cloud technologies, application programming interfaces, and rapid software development used by financial institutions (FIs). Given below are some key highlights of the updated guidelines on Technology Risk Management set by the Monetary Authority of Singapore. 

  • The guideline outlines key risk mitigation strategies for Financial Institutes that calls for a robust process in place and timely analysis of cyberthreat.
  • It further requires sharing the analysis of cyber threat intelligence within the financial ecosystem.
  • The set guideline requires Financial Institutes to conduct cybersecurity exercises to stress test their cyber defenses by simulating the attack tactics, techniques, and procedures used by real-world attackers.
  • The MAS has also stated that with the growing reliance on third-party service providers, the Financial Institutes are required to exercise strong oversight on the measures adopted by them to strengthen their security controls and systems. 
  • Financial Institutes are required to verify that the third-party is taking all the necessary measures to ensure system resilience as well as maintain data confidentiality. 
  • The guidelines highlight the need to assess and manage the company’s exposure to technology risks that may affect the confidentiality and availability of IT systems and data at the third-party service provider before a contractual agreement or partnership was established.
  • Financial Institutions should also ensure on an on-going basis, that the third party adopts a high standard of care and diligence for securing data confidentiality, integrity, and system resilience.
  • The Financial Institutes are also expected to have in place an established set of processes to ensure all personnel has the requisite competence to perform the necessary IT functions and manage technology risks. 
  • Additionally, the revised guidelines also set out the roles and responsibilities of the board of directors and senior management. 
  • The board and senior management are expected to appoint a Chief Information Officer and a Chief Information Security Officer, with the requisite experience and expertise.
  •  The appointed CIO or CISO shall be accountable for managing technology and cyber risks. 
  • The board should include members with the relevant knowledge to provide effective oversight of technology and cyber risks.
  • The revised guidelines have incorporated feedback received from the public consultation conducted in 2019, which involved MAS engagement with the industry, and MAS’ Cyber Security Advisory Panel (CSAP). 

The Technology Risk Management Guidelines are a set of best practices outlined for the benefit of Financial Institutes. The document works as a guide to help Financial Institutes administer technology risk management, practices, and controls to address technology and cyber risks.

The Monetary Authority of Singapore expects Financial Institutes to observe the guidelines as it would be used as a reference when conducting a risk assessment of the Financial Institutes. For more details on the set TRM guidelines by MAS, you can refer to the link https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/TRM-Guidelines-18-January-2021.pdf

You can also watch our webinar on MASTRM

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.