Monetary Authority of Singapore (MAS): Technology Risk Management Guidelines Overview
The last five years has seen an increase in reliance on technology among financial institutions. IT outsourcing has become more attractive to the financial services industry - but against the backdrop of increased reliance on complex IT systems and operations is the heightened risk of cyber-attacks and system disruptions.
In June 2013, the Monetary Authority of Singapore (MAS) issued the Technology Risk Management Guidelines (TRMG), which address the existing and emerging technology risks within the financial institutions.
The objective of the TRMG is for financial firms to establish a sound and robust technology risk management framework, strengthen system security, reliability, resiliency, recoverability and deploy strong authentication to protect customer data and systems.
In today’s blog article we will take a look at some of the key guidelines covered in the guide:
Greater oversight by the board and senior management
According to the MAS framework, a firm's board and senior management are expected to be more involved in key IT procurements and operations decisions as well as assume responsibility for ensuring effective internal controls and risk management practices are put in place to achieve security, reliability, resiliency and recoverability of their systems. The board and senior management are also responsible for overseeing the establishment of IT policies, standards, and procedures to comply with the TRMG.
Firms are expected to establish a TRMG framework to manage technology risk in a systematic and consistent manner. The TRMG framework should contain the roles and responsibilities in managing technology risks and identify information system assets for protection and associated risks.
Management of IT outsourcing risks
Financial institutions must perform due diligence on all service providers to determine their viability, capability and reliability in the provision of outsourcing services. Firms should ensure that appropriate contractual terms and conditions are set out fully in the agreements with service providers, such as responsibilities and conditions relating to performance targets, services levels, security, contingency planning, and disaster recovery capabilities.
Systems reliability, availability and recoverability
The MAS expects firms to have in place effective internal controls and risk management practices to ensure the reliability, resiliency and recoverability of IT systems and infrastructure.
Operational infrastructure security management
Financial institutions are expected to implement appropriate security solutions at the data, application, database, systems and network layers to address risks of data theft, data loss and data leakage from endpoint systems and devices.
Enhanced data centre protection and controls
The TRMG recommend the establishment of a threat and vulnerability risk assessment to identify security threats and operational weaknesses in a data centre in order to determine the level and type of protection to be established.
You can find the full Technology Risk Management Checklist here.
In addition to the TRMG and the Notices, the MAS also issued the following:
Response to Public Feedback for the Consultation Paper on the TRM Guidelines;
Instructions on Incident Notification and Reporting to the MAS;
Incident Report Template;
FAQs on the Notices on Technology Risk Management; and
Response to Public Feedback for the Consultation Paper on the Notices on Technology Risk Management.
The above documents can be viewed here.