
Technology Risk Management Guidelines for Financial Organisations in Singapore
Over the years, the rapid proliferation of state-of-the-art technology makes it an excellent enabler for innovation. However, it also presents unavoidable, permeative and potentially high-impact risk. This risk can come in the form of data theft, compromised accounts, destroyed files, or disabled or degraded systems.
In essence, the evolving technological landscape dictates that financial institutions in Singapore make strategic decisions on which technologies to intrinsically adopt, and which to inherently avoid.
This is because weak controls in technology can result in processing errors, security risks, or unauthorised transactions.
To help oversee and regulate technological risks, the Singapore government imposed guidelines and best practices recommended for financial institutions that date as far back as 2013.
What is Technology Risk Management (TRM)?
Technology risk alludes to any risk of financial loss, disruption or reputational damage that may occur to an organisation due to the failure of its information technology systems. Technology risks that can disrupt business operations include:
- Cybersecurity and incident response risk
- IT resilience and Business continuity risk
- Risk of ineffective risk management
- Data management risk
- Technology vendor and third-party risk
- Technology operations risk
That being said, Technology Risk Management (TRM) seeks to provide frameworks and contingencies to manage technology risks.
TRM strategies aim to prevent bad actors’ actions, such as ransomware intrusions, data leak exploitations, and other cybercrimes, from having dire consequences within organisations and their customers.
TRM impositions typically achieve by ensuring organisations follow best practices and have regulatory oversight to avoid compromised systems, lost business and lost consumer trust.
MAS Technology Risk Management 2021 Revised Guidelines Checklist
Singapore’s TRM Guidelines are developed by then Monetary Authority of Singapore (MAS). MAS crafted extensive guidelines that covered 12 sections and five appendices covering areas from, Senior Management, IT Outsourcing, Risk Frameworks, Acquisition, to IT Service Management and more.
In 2021, MAS released a revised edition of its Technology Risk Management Guidelines after considering public feedback from 2019 consultations and engagement with cybersecurity experts.
The revised TRM guidelines published on 18 January 2021 still retain some overlap with the previous 2013 TRM Guidelines. However, several notable changes were instituted to keep abreast with current state-of-the-art trends in technology development and deployment.
The guidelines are particularly more stringent requisites on financial institutions (FIs) and senior management (board of directors) regarding technology risk governance and security controls.
Additionally, the central theme of the revised guidelines is enhanced secure software development practices, extended management of risks from emerging technologies such as the Internet of Things (IoT), and an augmented focus on cyber resilience.
1. Technology Risk Oversight
In contrast to the 2013 TRM version, where minimal oversight was demanded from FIs when selecting vendors and contractors, the new TRM Guidelines take it a notch higher with new requirements imposed such as:
- Meticulous evaluation of vendors and contractors’ software development, quality assurance and security practices.
- Well-defined vetting mechanisms for assessing third parties wishing to access FI’s APIs (application programming interface). These mechanisms should carefully evaluate the third party’s nature of business, track record, cybersecurity posture, and industry reputation.
Generally speaking, this move is supposed to help mitigate the technology risks posed by the third parties’ services by carefully considering the standards and risk treatment measures instituted by vendors.
2. Technology Risk Governance
With regard to risk governance, the extended TRM Guidelines institute an expanded list of roles and responsibilities for boards and senior management. To summarise the requirements:
- Boards of Directors are recommended to have members with competent knowledge of technology and cyber risks.
- Directors should approve the risk appetite and risk tolerance statement in the organisation.
- Boards and senior management should ensure that critical IT security decisions are made in accordance with an organisation’s risk appetite.
3. Effective and Efficient Cyber Surveillance Measures
Generally, financial institutions will be expected to conduct cybersecurity reviews whenever a major change in the operating environment or threat landscape occurs. The revised TRM guidelines encourage frequent cybersecurity exercises that consider the criticality of the control, processes, system or service such as:
- Penetration testing, and Red Team Exercises to derive an accurate assessment of the robustness of their security measures
- Cyber exercises to validate infrastructural response and recovery.
- The utilisation of combinatory automated tools and techniques to conduct vulnerability assessment and adversarial attack simulation exercises.
4. System and Software Development
The new guidelines recommend a focus on processes to collect, process, and analyse relevant cyber-related information that could impact FIs business operations and IT infrastructure. As such, organisations are advised to:
- Regularly employ cyber intelligence monitoring services, or establish an in-house security operations center to facilitate continuous monitoring and analysis of cyber events.
- Institute mechanisms to detect and respond to misinformation related to them, propagated through the Internet.
- Design a cyber-incident response and management plan to quickly isolate and neutralise cyber threats in order to easily resume affected services securely.
- Institute minimal vulnerability assessment requirements, such as the extent of penetration testing to be carried out, a vulnerability discovery process, and identification of weak security configurations.
- Execute regular scenario-based cyber exercises to validate organisational responses to recovery plans.
- Regularly engage in adversarial attack simulation exercises to test in-house capabilities to prevent, detect and respond to cyber threats. Organisations are encouraged to do this by simulating perpetrators’ tactics, techniques, and procedures that target the customers, processes, and the technology underpinning their business operations or services.
5. Management of Cyber Risks posed by Emerging Technologies
The new TRM guidelines also put particular emphasis on emerging technologies like IoT devices to ensure that the networks they connect to are highly secure.
The guidelines principally dictate that communication protocols from IoT devices should be monitored in a manner that enables FIs to detect and respond to suspicious and nefarious activities in a timely manner.
Risk Mitigation Strategies for Financial Institutions
With the continued reliance of businesses on technology and innovation, technology risk management will continue to play a strategic role in the growth of Singapore businesses.
Unfortunately, bad actors and cyberattacks can never be fully eliminated. As such, solid and consistent risk management programs should be implemented by Singaporean FIs to deal with them.
It’s worth noting that TRM Guidelines are recommended ‘best practice standards’ and ‘principles’ that aim to serve as a safety net for financial institutions and their customers.
They are not strictly legal obligations per se. So, here are some action points FIs can consider when aiming to comply with the 2021 TRM Guidelines:
- Define your scope and risk-assess your critical systems by executing holistic technical assessments to identify gaps that need to be filled from the previous TRM guidelines, relevant to their previous operations, and address them accordingly.
- Restructure your governance structure to ensure that the Board members and senior management competently execute their expanded roles and responsibilities in line with the new guidelines.
- Institute mechanisms and processes that facilitate compliance with the stringent requirements imposed on third-party vendors and contractors.
- Implement applicable risk mitigation strategies to handle potential threats from emerging technologies.
- Maintain continual cyber situational awareness and execute appropriate cybersecurity operations and assessment frameworks.
The end goal is to ensure that your organisation maintains a robust TRM framework to meet MAS compliance responsibilities. In that line of thought, there are some additional actions that management teams can take:
- Formation of an IT risk committee:
- Inviting an IT expert to have a seat on the board:
- Extending internal audits to strengthen the focus on IT risk, with reports independently submitted to the board.
- Increase overall organisational transparency by focusing less on traditional IT projects, and more on IT risk events, resiliency, and risk.
- Defining clear thresholds for IT risk situations that must be regularly brought to the board’s attention, such as substantial IT investments, proposed third-party vendor contracts that might pose significant IT risks, cyber breaches, and system outages.
What are the implications of the Notice?
With the newly revised TRM guidelines, financial institutions will have to adjust accordingly in different ways. For instance:
- They will have to regularly perform business impact analysis exercises and institute frameworks to identify critical IT systems.
- They will have to curate comprehensive Disaster Recovery (DR) plans that institute a recovery time objective (RTO) of not less than four hours for critical systems.
- They will have to implement strong customer data encryptions, and IT controls to protect customer information from unauthorised access.
- They will require mechanisms to ensure high availability for critical systems to avert scenarios where unscheduled downtime lasts more than four hours.
- They will require real-time I.T monitoring and reporting procedures, as well as mechanisms to inform MAS of any major I.T security incidents.
Who is affected by the notice on Technology Risk Management by MAS?
Financial Institutions
In essence, the new guidelines affect different financial institutions, particularly those in:
- Banking
- Capital Markets
- Insurance and Insurance brokerage
- Electronic Payments (operators and settlement institutions of designated electronic payment systems)
- Finance companies and licensed financial advisers
- Credit card or charge card licensees.
For a more comprehensive list, check out this list of financial institutions, subject to the notice on Technology Risk Management.
Spill-over effects on Third-party Vendors.
Apart from financial institutions, third party contractors and vendors that work or partner with FIs are affected as well. They are duly expected to deliver high standards of security and compliance to support the FIs’ efforts to meet the TRM guidelines.
FIs are expected to institute high standards of care and diligence when engaging with third parties.
That being said, any enterprise or organisation reliant on third-party vendors is subjected to TRM requirements, as all parts of the value chain can pose technological threats and risks.
Final Remarks
All things considered, Technology Risk Management maintains financial, strategic, operational, regulatory, and reputational implications on businesses in Singapore.
To address technology risks, management teams need to be conversant with the IT landscape in a competent manner to guide their organisations through these requisites, as mismanagement can increase the cost and sophistication of TRM strategies.
To further exacerbate issues, the technology employed in a financial institution may become archaic or uncompetitive over time, while mergers and acquisitions could further complicate TRM efforts.
Regardless, if companies strictly adhere to the TRM guidelines or hire experts to help them navigate this terrain, they should be able to better safeguard themselves and reduce their exposure to technology risks.
