MAS Technology Risk Management Update

Download

With the increase in cyber-attacks like the recent solar winds one and the very public issues with WireCard which left many firms in Singapore and beyond being unable to process transactions, the strengthening of the Monetary Authority of Singapore (MAS) Technology Risk Management Guidelines (TRM) was inevitable.

The revised TRM set out technology risk management principles and best practices for the financial sector and provides guidance for Financial Institutions to establish a sound and robust Technology Risk Governance and Oversight Framework. This requires firms to adopt a defence-in-depth approach to strengthen cyber resilience, and continuously improve IT processes and controls to preserve confidentiality, integrity and availability of data and IT systems. Protiviti supports regulated institutions in testing, policy gap assessments, and roadmap development to achieve compliance to prevailing standards.

Highlighted Key Updates

124 New Requirements, 2 New Sections, 26 New Sub-sections, 3 New Appendices

Additional Guidance on the Roles and Responsibilities of the Board of Directors and Senior Management

Expanded roles and responsibilities for the Board of Directors and Senior Management. This requires members with the necessary skills and understanding of technology risks, and also include establishing a strong risk culture and a sound and robust technology risk management framework.

New Section on Cyber Surveillance and Security Operations

Guidance on cyber surveillance, and cyber incident management. This requires firms establish and continuously strengthen the processes and controls to identify, prevent, detect, respond to, and recover from cyber incidents.

More Stringent Assessment Requirements of Third-Party Vendors and Entities

Requirements to establish standards and procedures for vendor evaluation where critical; requirements to develop a well-defined vetting process for assessing third party entities that have access to their Application Programming Interface (API) and for governing the nature of the API access.

Expansion of Cyber Security Assessments

This dictates minimal requirements of the vulnerability assessment which include the discovery process, an identification of weak security configurations and open network ports, and the extent of penetration testing (to be performed under a combination of blackbox and greybox testing).

How can Protiviti Help Prepare Your Business to Meet Obligations of the Revised Requirements?

Technology, Strategy and IT Operations

Security & Privacy Services

Software Services

Technology Strategy and IT Operations services to align IT and business strategy.
Transformation programme execution and embedding of security-by-design to maximise investment and strategy realisation.
Establish effective IT operating models and governance (reporting) to address the expanded roles of management in managing technology risks.

Build and maintain an effective security monitoring and Security Operations Centre function.
Evaluate control design (DevSecOps) within the organisation and third parties and provide recommendations on gaps.
Technical security postures i.e. data security and privacy, cloud security, vulnerability / penetration testing.
Improve Incident Response and Cyber Resiliency through tabletop exercises, emergency breach response, cyber threat hunting, and cyber resiliency.

Agile software services for the design, development and implementation of innovative technology solutions.
Invoking meaningful transformation based on client business requirements, to provide a comprehensive end-to-end technology solution.
Ensure appropriate TRM focused controls are embedded throughout the system development life cycle.