Recognising the worsening environment of cyber threats while financial institutions (FIs) expand their adoption of emerging technologies to increase their operational efficiency and to deliver better customer service, the revised TRM Guidelines focus on the following:
- Board and Senior Management. Introduction of additional guidance on the roles and responsibilities of the Board of Directors and Senior Management (BSM)
- Management of third parties. Introduction of more stringent assessments of third-party vendors and entities that access the FI’s IT systems
- System and software development. Introduction of monitoring, testing, reporting and sharing of cyber threats within the financial ecosystem
We summarise on a non-exhaustive basis below, three broad categories of amendments and MAS’ higher expectations in the areas of technology risk governance and security controls in FIs.
Summary of new provisions
Many of the expectations in the revised TRM Guidelines are taken from the 2013 edition. To prevent fraudulent financial transactions, exfiltration of sensitive financial data or disruption of vital IT systems, we summarise and contrast against the 2013 edition, below, MAS’ enhanced expectations and new guidance on the following:
- Establishing sound, robust technology risk governance and oversight
- Effective cyber surveillance
- Secure system and software development
- Adversarial attack simulation exercise
- Management of cyber risks posed by the emerging technologies such as Internet of Things (IoT)
The table below…
|technology risk governance||Additional guidance is introduced so that the FI’s BSM comprises individuals who are able to competently exercise their oversight of the FI’s technology strategy, operations and risks. This guidance is broad as the nature, size and complexity of FIs vary.
The 2013 edition required the BSM to accomplish the following:
In contrast, the TRM Guidelines now provide an expanded list of roles and responsibilities for the BSM, of which the roles and responsibilities have been segregated for the board and senior management, respectively:
MAS also expects the following:
For the FI whose board of directors is not based in Singapore, these roles and responsibilities in the TRM Guidelines can be delegated to and performed by a management committee or body beyond local management that is empowered to oversee and supervise the local office (e.g., a regional risk management committee).
Although no specific measures are prescribed for the board of directors or its designated committee to use to appraise its management performance in technology risk management, suggested key performance indicators for senior management include factors that measure the effectiveness of the framework and strategy that are put in place to protect the availability, integrity and confidentiality of data and systems.
|technology risk oversight||The intention of the introduction of more stringent assessments of third-party vendors and entities that access the FI’s IT systems is to establish standards and procedures on proper risk treatment measures for vendors to target a specific technology risk. This provides an additional layer of oversight over technology risk matters at an organisational level.
FIs should ensure these third-party service providers are able to meet regulatory standards expected of them. The use of a third-party service provider should not result in a deterioration of controls and compromise of risk management.
Where the 2013 edition only required FIs to be careful in their selection of vendors and contractors and to implement a screening process before engaging vendors and contractors, the TRM Guidelines now require an FI to accomplish the following:
While the TRM Guidelines adopt the same meaning for “outsourcing arrangement” as that defined in the MAS Guidelines on Outsourcing3, the TRM Guidelines additionally cover third-party services that are used by FIs but may not constitute outsourcing arrangements, such as IT forensics, penetration testing and online marketing services.
These third-party services are provisioned or delivered using IT or may involve confidential customer information electronically stored and processed at the third party.
FIs are expected to assess the technology risks posed by the third parties’ services and mitigate the risks accordingly.
|effective cyber surveillance||FIs are expected to determine the frequency of review based on the criticality of the control, process, procedure, system or service, and their evaluation of the technology and cyber risks.
Minimally, FIs should conduct a review whenever there is a significant change in the operating environment or threat landscape.
TRM Guidelines includes guidance on cyber exercises, such as:
|secure system and software development||The introduction of monitoring, testing, reporting and sharing of cyber threats within the financial ecosystem is a result of a clear indication of a worsening cyber threat environment. The intention is largely to emphasise the importance of security within the financial ecosystem.
The 2013 edition provides for, among others, a general incident management plan for a disruption to the standard delivery of IT services, a general comment that simulations of actual attacks could be carried out as part of a penetration test, and suggestions for FIs to implement security solutions that will adequately address and contain threats to its IT environment
In contrast, the TRM Guidelines require FIs to do the following:
As software development practices may vary across FIs, MAS expects FIs to assess the applicability of internationally recognised industry best practices on software development, adopt these practices, and train their developers so that they have the skills that are commensurate with their job responsibilities.
However, MAS will still expect from FIs the following in relation to software application development and management:
|adversarial attack simulation exercise||Adversarial attack simulation exercises test the FI’s capability to prevent, detect and respond to threats by simulating perpetrators’ tactics, techniques and procedures to target the people, processes and technology underpinning the FI’s business functions or services.
FIs may use a combination of tools and techniques, either automated or otherwise, for vulnerability assessment and adversarial attack simulation exercises, which may be combined with intelligence-led exercises if the intelligence-led exercise is also referring to adversarial attack simulation exercise.
|management of cyber risks posed by the emerging technologies||FIs should ensure the IoT devices that are connected to their networks are secure.
Communication from IoT devices should be monitored so that FIs could detect and respond to suspicious activities in a timely manner. Information that will facilitate FIs in tracking or locating the IoT devices should be maintained.
If IoT devices do not have, or have minimal, security controls, FIs should assess whether they should allow such devices to be connected to their network, and implement appropriate processes and controls to mitigate the risks arising from such devices.
While the TRM Guidelines are a set of principles or “best practice standards” that serve as guidance for FIs (i.e., these are not legal obligations on FIs per se), they provide further insight on the mandatory requirements set out in the following technology risk management notices issued by the MAS:
These impose legal obligations on FIs and carry penalties for noncompliance.
(Please see our earlier Alert: Monetary Authority of Singapore Issues New Rules to Strengthen Cyber Resilience of Financial Industry.)
In addition, as MAS’ emphasis is on the degree of observance with the spirit of the Guidelines, how well an FI observes the 2021 Guidelines may have an impact on the MAS’ overall risk assessment of that FI.
MAS expects all FIs to take steps to ensure that its business operations comply with the 2021 Guidelines, particularly bearing in mind the following:
- The need for a heightened awareness of certain cyber security risks
- The need to conduct a stock take of information assets of the FI (even if it is to double check), as well as the processes and controls that are in place to manage these information assets according to their security classification or criticality
Where the revisions appear to be heavily directed at larger FIs, MAS will allow FIs to adopt the TRM Guidelines based on the nature, size and complexity of their business, and will allow each FI to draw up its own roadmap to implement IT practices that meet the expectations in the TRM Guidelines.
We would be happy to advise you further on ensuring your key technology and cyber risk management principles and best practices meet MAS’ expectations.
1 Published at : https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/TRM-Guidelines-18-January-2021.pdf?la=en&hash=607D03D8FD460EBDA89FC2634E25C09B5D0ADDA3
2 See MAS’ response to the Consultation Paper at: https://www.mas.gov.sg/-/media/MAS/News-and-Publications/Consultation-Papers/Response-to-Consultation-Paper_TRM-Guidelines-2021.pdf?la=en&hash=DD65064FAD6D9C9A9BE603162D78675034ED70A2
3 Published at: https://www.mas.gov.sg/regulation/guidelines/guidelines-on-outsourcing
4 Published at: https://www.mas.gov.sg/regulation/notices/notice-cmg-n02
5 Published at: https://www.mas.gov.sg/regulation/notices/notice-cmg-n03