The Monetary Authority of Singapore (MAS) published a revision of the Technology Risk Management Guidelines (the Guidelines) on 18 January 2021. Alongside the revision, MAS also released a response to the public consultation conducted in the process of developing the revised Guidelines.
This revision builds on top of the risk management principles and best practices set out in the 2013 version of the Guidelines. They were developed to guide financial institutions amid accelerating digital transformation in the financial sector.
The revised Guidelines centre around two core ideas:
- the importance of governance in technology risk management; and
- maintaining cyber resilience as a key objective for Financial Institutions (FIs).
Technology risk governance and oversight
The revised Guidelines emphasise governance as a vital component in managing technology risks. Mere oversight over the FI's management of technology risks by the board of directors and senior management is no longer sufficient.
As part of enhanced governance, the Board and senior management should ensure that a technology risk management strategy is established. They should also ensure that key technology decisions are made according to the FI's risk appetite. (Guidelines 3.1.4, 3.1.5)
The Board and senior management are now expected to set the tone from the top and cultivate a strong culture of technology risk awareness and management at all levels within the FI. As such, both the Board and senior management should have members equipped with the knowledge to understand and manage technology risks. The Board should also undergo training to raise their awareness of technology risks and enhance their understanding of technology risk management practices. (Guidelines 3.1.2, 3.1.6, 3.6.3)
New C-suite executive appointments
The Board and senior management should ensure that a Chief Information Officer (CIO) (or its equivalent) and a Chief Information Security Officer (CISO) (or its equivalent) with the requisite expertise and experience are appointed.
A CIO is responsible for establishing and implementing the FI's overall IT strategy and IT risk management, while a CISO is responsible for the FI's Information Security strategy and programme.
At the minimum, the appointments should be approved by the Chief Executive Officer. (Guidelines 3.1.3)
New responsibilities for Board and senior management
The Guidelines also set out new responsibilities for the Board and senior management respectively. (Guidelines 3.1.7, 3.1.8)
The Board, or a committee delegated by it, is expected to:
- ensure that a sound and robust technology risk management framework is established and maintained;
- give senior executives in charge of executing the technology risk management strategy, sufficient authority, resources and access to the Board;
- ensure that the FI has a technology risk management function to oversee the established framework and strategy, and to provide an independent view of technology risks relevant to the FI;
- approve the FI's technology risk appetite and risk tolerance statement, which articulate the nature and extent of technology risks that the FI is willing and able to assume;
- review the technology risk management strategy regularly for continued relevance;
- assess management competencies for managing technology risks; and
- ensure that an independent audit function is established to assess the effectiveness of the FI's IT controls, risk management and governance.
Senior management are expected to:
- establish the technology risk management framework and strategy;
- manage technology risks based on the established framework and strategy;
- ensure that sound and prudent technology risk management policies, standards and procedures are established, maintained and implemented effectively;
- ensure the roles and responsibilities of staff in managing technology risks are set out clearly; and
- apprise the Board of technology risk developments and incidents.
Maintaining cyber resilience
Cyber resilience is the ability to anticipate, withstand, contain and rapidly recover from a cyber incident. FIs are expected to continuously strengthen their cyber resilience to sustain trust and confidence in financial services.
To better guide FIs in maintaining cyber resilience, the Guidelines provide new recommendations on:
- the management of third party services;
- adopting a security-by-design approach in IT project management;
- cyber intelligence, cyber security operations and assessment; and
- the use of emerging technologies
Management of third party services
Keeping in mind the importance of the human element in managing IT systems, FIs should assess and manage their exposure to technology risks at the third party, before engaging third-party services. (Guidelines 3.4)
FIs should ensure that third party service providers have the requisite level of skill to perform IT functions and to manage technology risks. A background check on personnel with access to the FI's data and IT systems should also be performed to minimise the risk of insider threats. (Guidelines 3.5)
When acquiring software and IT systems for projects, FIs should establish standards and procedures to evaluate and select qualified vendors. FIs should also ensure adequate safeguards over any vendor access to the FI's data and IT systems. In deploying off-the-shelf software solutions, FIs should assess the risks involved and implement appropriate security controls. (Guidelines 5.3)
Third parties may also interact with an FI's information system through an FI's application programming interface (API). Before allowing third parties to use their APIs, FIs should establish a well-defined vetting process, conduct risk assessments and implement appropriate controls governing third party API access. The Guidelines also set out key considerations for FIs in developing secure APIs. (Guidelines 6.4)
Incorporating security-by-design in IT project management
The Guidelines recommend that FIs establish a framework to manage the system development life cycle (SDLC) for all IT projects. At every phase of an IT project's SDLC, FIs should adopt security-by-design principles and involve the IT security function. (Guidelines 5.4)
The Guidelines also make similar recommendations on the use of Agile – an incremental approach to software development which encourages teams to exercise flexibility throughout the development process. FIs should continue to apply the established SDLC framework and security-by-design principles even when adopting Agile development practices. (Guidelines 6.2.1)
The SDLC framework and security-by-design principles should also be incorporated into DevOps – the combined practice of IT operations and software development to provide continuous delivery of IT systems. The Guidelines use the term "DevSecOps" to emphasise this combined, security-focussed approach. (Guidelines 6.3.1)
Maintaining cyber awareness
The Guidelines promote good cyber awareness as part of an FI's technology risk management strategy, through the use of cyber intelligence, cyber security operations and cyber security assessments.
FIs should establish cyber intelligence capabilities, by procuring cyber intelligence monitoring services and participating in cyber threat information-sharing. These capabilities should also detect and respond to misinformation about the FI on the Internet. FIs can consider engaging external media monitoring services to do this. (Guidelines 12.1)
FIs should also establish or acquire a security operations centre function to facilitate the continuous monitoring of cyber events. The use of baseline profile and user behavioural analytics to analyse system logs is also recommended. (Guidelines 12.2)
Cyber security assessments should extend beyond vulnerability assessments and penetration testing of IT systems. FIs should also carry out regular scenario-based cyber exercises and adversarial attack simulation exercises (more commonly known as red teaming) to test an FI's capability to respond to and recover from cyber threats. (Guidelines 13.1—13.5)
The Guidelines also touch on emerging technologies such as virtualisation solutions, Internet of Things (IoT) devices, and biometric technologies.
The use of virtualisation solutions should be accompanied by established policies and standards for proper management. When IoT devices are used, FIs should maintain an inventory of devices and implement appropriate security controls. (Guidelines 11.4, 11.5)
When biometric technologies are used for customer authentication, biometrics-related data and authentication credentials should encrypted. The performance of biometric solutions should also be calibrated according to the risk of the corresponding online activity. (Guidelines 14.2)
The revised Guidelines contain many of the expectations from the guidelines published in 2013. They incorporate new developments in best practices for technology risk management.
The first key takeaway from the revised Guidelines is the shift in emphasis from mere oversight to governance. The second is that FIs are expected to continuously maintain and evolve their cyber resilience.
MAS expects FIs to perform their own technology risk assessments and determine what they need to implement in order to address technology risks.
FIs should adopt recommendations in the Guidelines commensurate to the level of risk and complexity of the financial services offered and the supporting technologies.
FIs are reminded that they are required to comply with the applicable Notices issued by MAS, such as the Notice on Technology Risk Management and/or the Notice on Cyber Hygiene.