Technology Risk Management (TRM) for DPT service providers
What is the purpose of MAS' Technology Risk Management (TRM) Guidelines?
The MAS' TRM Guidelines set out risk management principles and best practice standards to guide financial institutions in managing technology risk.
The TRM Guidelines apply to all financial institutions ('FIs') regulated by the MAS, such as banks, insurers, venture capital managers and payment services licensees. A revised version of the TRM Guidelines took effect on 18 January 2021.
The TRM Guidelines, as revised, focus on addressing technology and cyber risks in an environment of growing use by FIs of cloud technologies, application programming interfaces, and rapid software development. It reinforces the importance of incorporating security controls as part of FIs' technology development and delivery lifecycle, as well as in the deployment of emerging technologies.
The TRM Guidelines set out certain requirements and best practices for technology risk management, and they guide FIs in:
o establishing sound and robust technology risk governance and oversight and a process for sharing of cyber threat intelligence within the financial ecosystem; and
o maintaining cyber resilience by requiring FIs to stress test their cyber defences by simulating attack tactics, techniques and procedures used by hackers.
FIs are also expected to exercise strong oversight of arrangements with third party service providers, to ensure system resilience and maintain data confidentiality and integrity. The TRM Guidelines provide detailed guidance on the level of assessment required of third parties who have access to the FI's IT systems. The FI should establish standards and procedures for vendor evaluation and selection to ensure that the vendor is qualified and able to meet its project requirements and deliverables. The level of assessment and due diligence preformed must be commensurate with the criticality of the project deliverables to the FI.
In addition, the TRM Guidelines provide guidance on the roles and responsibilities of the board of directors and senior management of the FIs to ensure that they are able to exercise effective oversight over the FI's IT systems and the associated risks. To this end:
o The board of directors and senior management should have members who have the knowledge to understand and manage technology risks, which include risks posed by cyber threats.
o They should also ensure that a Chief Information Officer and a Chief Information Security Officer, with the requisite expertise and experience, are appointed.
o The TRM Guidelines set out an expanded list of responsibilities for the board of directors and senior management respectively. For instance, the board of directors is responsible for, amongst other things, undertaking regular review of the technology risk management strategy for continued relevance, and for assessing management competencies for managing technology risks, and senior management is responsible for ensuring that the roles and responsibilities of staff in managing technology risks are clearly delineated and for apprising the board of directors of salient and adverse technology risk developments and incidents that are likely to have a major impact on the FI in a timely manner.