Technology risk management guidelines article – May 2021
The MAS technology risk management guidelines and what you need to know
The Monetary Authority of Singapore (MAS) released their Guidelines on Risk Management Practice – Technology Risk in January 2021. MAS advises that the aim of the guidelines is “to promote the adoption of sound and robust practices for the management of technology risk.”
The MAS has published these recent guidelines as a revision of the risk management principles and best practices established in its 2013 guidelines. This revision was created in response to the rapid digital transformation in the financial sector, and to incorporate the latest developments in the best practices of technology risk management.
It should be noted that the guidelines are not comprehensive and provide general guidance only. They should be read in conjunction with current legislation and do not replace or override any existing legislative provisions.
What do the guidelines cover?
The revised guidelines focus on two primary components:
- the importance of establishing sound and robust governance in technology risk management, and
- maintaining cyber resilience as a key objective for financial institutions.
The guidelines advise that mere oversight of technology risks by boards and senior management is no longer sufficient – actual governance procedures need to be put in place to manage technology risk effectively, such as the creation of a technology risk management framework. The board and senior management also need to cultivate a strong risk culture within the institution.
Cyber resilience is a vital element for financial institutions to review and improve. As institutions become more dependent on technology for efficiencies and improved customer service, they also become increasingly vulnerable to technology risks, including cyber risk. Cyber resilience is vital to ensuring continued trust and confidence in financial services – institutions need to continuously improve their processes and controls in order to preserve confidentiality, integrity and availability of data and IT systems.
Proposed overarching guidelines
The MAS proposed the following overarching guidelines for financial institutions to proactively minimise their exposure to technology risk.
- Establish a technology risk management strategy.
- Ensure the Board and senior management are equipped with the knowledge to understand and manage technology risks. This can be achieved by undergoing training to raise their awareness of risks and enhance their understanding of technology risk management practices.
- Appoint a Chief Information Officer (CIO) and a Chief Information Security Office (CISO) with sufficient expertise and experience. These roles are responsible for establishing and implementing (a) the overall IT strategy and IT risk management, and (b) the Information Security strategy and programme, respectively.
- Improve and strengthen cyber resilience.
Improving and strengthening cyber resilience
Cyber resilience is “the ability to anticipate, withstand, contain and rapidly recover from a cyber incident.”
Under the guidelines, financial institutions are expected to continuously strengthen their cyber resilience to maintain trust and confidence in financial services.
The guidelines provide recommendations on the following:
- the management of third-party services
- assess and manage exposure to technology risks via third parties
- ensure third parties have sufficient skill to perform IT functions and to manage technology risks
- establish standards and procedures to evaluate and select qualified vendors, and
- create safeguards and checks for any personnel with access to data and systems to minimise risk of insider threats, and assess risks of allowing third parties to interact with an institution’s application programming interface (API).
- adopting a security-by-design approach in IT project management
- adopt security-by-design principles and involve the IT security function in all stages of a system development life cycle (SDLC) for all IT projects
- use of Agile (an incremental approach to software development) throughout the development process, and
- incorporate the SDLC framework and security-by-design principles in DevOps (combined practice of IT operations and software development) → DevSecOps for combined, security-focused approach.
- cyber intelligence, cyber security operations and assessment
- establish cyber intelligence capabilities by using cyber intelligence monitoring services and engaging in cyber threat information sharing with other institutions
- create or acquire a security operations centre function to enable the continuous monitoring of cyber events, and
- conduct regular scenario-based cyber exercises and attack simulation exercises to test capability to respond to and recover from cyber threats.
- the use of emerging technologies
- establish policies and standards for management of the use of virtualisation solutions
- institutions should maintain an inventory of devices and implement appropriate security controls for Internet of Things (IOT) devices, and
- ensure biometric technologies are encrypted to protect customer data.
While the 2021 revised guidelines have the same intention as the original guidelines established in 2013, this edition responds to the changing digital landscape and incorporates developments to the current best practices in technology risk management.
The key takeaways are that:
- financial institutions need to shift their risk management from being mere oversight to become hands-on, proactive governance
- institutions will now be expected to regularly maintain and improve their cyber resilience
- institutions must perform their own technology risk assessments and determine what needs to be implemented in order to address the risks found, and
- the guidelines are not a one-size-fits-all set of guidelines – institutions should adopt these guidelines at a level that is in line with the level of risk and complexity of financial services offered by the institution.
The benefits of operating in a technology-enhanced world are many, but technology also comes with increased risks and opportunities for fraudulent or criminal behaviour. The MAS guidelines encourage financial institutions to understand their exposure to technology risks and put in place robust processes to limit this risk and ensure cyber resilience.