The MAS Technology Risk Management Guidelines And What You Need To Know

The MAS technology risk management guidelines and what you need to know

Technology risk management guidelines article – May 2021

The MAS technology risk management guidelines and what you need to know

The Monetary Authority of Singapore (MAS) released their Guidelines on Risk Management Practice – Technology Risk in January 2021. MAS advises that the aim of the guidelines is “to promote the adoption of sound and robust practices for the management of technology risk.”

The MAS has published these recent guidelines as a revision of the risk management principles and best practices established in its 2013 guidelines. This revision was created in response to the rapid digital transformation in the financial sector, and to incorporate the latest developments in the best practices of technology risk management.

It should be noted that the guidelines are not comprehensive and provide general guidance only. They should be read in conjunction with current legislation and do not replace or override any existing legislative provisions.

What do the guidelines cover?

The revised guidelines focus on two primary components:

  • the importance of establishing sound and robust governance in technology risk management, and
  • maintaining cyber resilience as a key objective for financial institutions.

The guidelines advise that mere oversight of technology risks by boards and senior management is no longer sufficient – actual governance procedures need to be put in place to manage technology risk effectively, such as the creation of a technology risk management framework. The board and senior management also need to cultivate a strong risk culture within the institution.

Cyber resilience is a vital element for financial institutions to review and improve. As institutions become more dependent on technology for efficiencies and improved customer service, they also become increasingly vulnerable to technology risks, including cyber risk. Cyber resilience is vital to ensuring continued trust and confidence in financial services – institutions need to continuously improve their processes and controls in order to preserve confidentiality, integrity and availability of data and IT systems.

Proposed overarching guidelines

The MAS proposed the following overarching guidelines for financial institutions to proactively minimise their exposure to technology risk.

  • Establish a technology risk management strategy.
  • Ensure the Board and senior management are equipped with the knowledge to understand and manage technology risks. This can be achieved by undergoing training to raise their awareness of risks and enhance their understanding of technology risk management practices.
  • Appoint a Chief Information Officer (CIO) and a Chief Information Security Office (CISO) with sufficient expertise and experience. These roles are responsible for establishing and implementing (a) the overall IT strategy and IT risk management, and (b) the Information Security strategy and programme, respectively.
  • Improve and strengthen cyber resilience.

Improving and strengthening cyber resilience

Cyber resilience is “the ability to anticipate, withstand, contain and rapidly recover from a cyber incident.”

Under the guidelines, financial institutions are expected to continuously strengthen their cyber resilience to maintain trust and confidence in financial services.

The guidelines provide recommendations on the following:

  • the management of third-party services
    • assess and manage exposure to technology risks via third parties
    • ensure third parties have sufficient skill to perform IT functions and to manage technology risks
    • establish standards and procedures to evaluate and select qualified vendors, and
    • create safeguards and checks for any personnel with access to data and systems to minimise risk of insider threats, and assess risks of allowing third parties to interact with an institution’s application programming interface (API).
  • adopting a security-by-design approach in IT project management
    • adopt security-by-design principles and involve the IT security function in all stages of a system development life cycle (SDLC) for all IT projects
    • use of Agile (an incremental approach to software development) throughout the development process, and
    • incorporate the SDLC framework and security-by-design principles in DevOps (combined practice of IT operations and software development) → DevSecOps for combined, security-focused approach.
  • cyber intelligence, cyber security operations and assessment
    • establish cyber intelligence capabilities by using cyber intelligence monitoring services and engaging in cyber threat information sharing with other institutions
    • create or acquire a security operations centre function to enable the continuous monitoring of cyber events, and
    • conduct regular scenario-based cyber exercises and attack simulation exercises to test capability to respond to and recover from cyber threats.
  • the use of emerging technologies
    • establish policies and standards for management of the use of virtualisation solutions
    • institutions should maintain an inventory of devices and implement appropriate security controls for Internet of Things (IOT) devices, and
    • ensure biometric technologies are encrypted to protect customer data.

Summary

While the 2021 revised guidelines have the same intention as the original guidelines established in 2013, this edition responds to the changing digital landscape and incorporates developments to the current best practices in technology risk management.

The key takeaways are that:

  • financial institutions need to shift their risk management from being mere oversight to become hands-on, proactive governance
  • institutions will now be expected to regularly maintain and improve their cyber resilience
  • institutions must perform their own technology risk assessments and determine what needs to be implemented in order to address the risks found, and
  • the guidelines are not a one-size-fits-all set of guidelines – institutions should adopt these guidelines at a level that is in line with the level of risk and complexity of financial services offered by the institution.

The benefits of operating in a technology-enhanced world are many, but technology also comes with increased risks and opportunities for fraudulent or criminal behaviour. The MAS guidelines encourage financial institutions to understand their exposure to technology risks and put in place robust processes to limit this risk and ensure cyber resilience.

You might also like
Repeat Fraudster Embezzles over $300,000 Repeat Fraudster Embezzles over $300,000
Navigating Criminal Record Searches for New Hires Navigating Criminal Record Searches for New Hires
Employee Fraud Costs Business $30,000 Employee Fraud Costs Business $30,000
Bank Employees Accept Bribes in Mortgage Fraud Case Bank Employees Accept Bribes in Mortgage Fraud Case
Navigating Criminal Record Searches for Employees Navigating Criminal Record Searches for Employees
IT Contractor Charged In Fraud Had No Background Check IT Contractor Charged In Fraud Had No Background Check
Employee Fraud Is More Common Than You Think Employee Fraud Is More Common Than You Think
Another Day A Different Job — The Gig Economy Another Day A Different Job — The Gig Economy

Business Locations

Australia

Suite 902, Level 9, 50 Berry St., North Sydney 2060, Australia

India

9th Floor, G-Corp Tech Park, Kasarvadavali Ghodbunder Road,Thane West, 400 615

Singapore

101 Thomson Road, #10-1 United Square, Singapore 307591

Beijing, China

1406, 14th Floor, Building 1, No. 9, Hongye Road, Daxing District, Beijing, China 100162

Malaysia

Suites W307 & W308, 3rd Floor, West Wing, Wisma Consplant 1, No. 2, Jalan SS16/4, 47500 Subang Jaya, Selangor Darul Ehsan, Malaysia

Philippines

5/F Science Hub Building, Tower 4, McKinley Hill, Taguig City, Philippines 1634

Hong Kong (SAR)

Unit C, 11/F, On Hing Building, 1 On Hing Terrace, Central, Hong Kong

Taiyuan, China

503 Bldg.2, Zhulian Tower, No.129 Changfeng Street, Xiaodian District, Taiyuan, China 030006

Background Check Services

Criminal Background Checks
Background Check Singapore
Background Checks Hong Kong
Background Checks Malaysia
Background Checks India

Employment Screening Services

Pre-Employment Screening
Background Checks for Employment
Reference Checks
Social Media Background Checks

Business Check Services

Bankruptcy, Insolvency & Credit Checks
Right to Work
Customer Due Diligence

Health Screening Services

Drug Screening
Alcohol Screening
Employment Medical Checks

Identity Verification

Document Verification
Address Verification
Passport Verification
Visa Verification

Integrity Screening

Financial Probity Checks
Directorship Checks
PPSR Checks
Adverse Media Checks
M & A Due Diligence
AML Checks
PEP Checks
Rescreening

About Us

About Us
Privacy
Careers
Modern Slavery Act Statement

Resources

Blog
Compliance
Integrations

Connect With Us

info@sterlingrisq.com
Contact Us
Events Near You
Find us on

© 2023 Sterling RISQ

3 Critical Components of a Global Background Check Program3 Critical Components of a Global Background Check ProgramA Practical Guide for Social Media Screening: Keeping it Simple in a Complex WorldA Practical Guide for Social Media Screening: Keeping it Simple in a Complex...
en_USEnglish
en_USEnglish