Technology Risk Management (TRM) for DPT service providers
What are the technology risk management requirements that financial institutions/PS providers need to look out for?
The following notices set out the requirements on technology and cyber risk management:
(a) The Notice on TRM on maintaining high availability, recoverability, data protection and incident reporting - Only applies to operators and settlement institutions of DPS, which MAS regulates for financial stability risks;
(b) The Notice on Cyber Hygiene , which sets out cyber security requirements that financial institutions must implement to mitigate the growing risk of cyber threats - Applies to all licensees and operators of DPS.
The Monetary Authority of Singapore (MAS) has revised its technology risk management (TRM) guidelines on 18 January 2021; 8 years after their last revision in 2013 arising from an acceleration in digitalisation take-up and increasing cyberattacks caused primarily by an advancement in technology. The TRM guidelines builds on top of the risk management principles and best practices set out in the 2013 and apply to all FIs that MAS regulates, ranging from banks, insurers and exchanges to venture capital/asset managers and payments services firm.
The revised Guidelines centre around two core ideas:
- The growing importance of Management oversight and proactiveness in managing technology
risk; and - Keeping cyber resiliency, robustness and awareness as key elements and objectives of all FIs’enterprise risk strategy
So, what are the key takeaways that FIs or Fintech should take note of?
1. Increased Role &; Responsibilities of Board and Senior Management
a. Expected to endorse and set the tone in terms of establishing the technology risk strategy and implementing the necessary steps according to FI’s risk appetite.
b. Approve a fit and proper CIO/CISO to oversee technology risks
c. Increasing responsibilities on the senior management and board to be more involved in mitigating technology risk and they are advised to update themselves in technology risk if they are not already well-versed in the technology risks.
2. Maintain cyber resilience and awareness
a. Have a robust and structured framework, standards, and procedure to assess and manage the organisation’s exposure to third party services
b. Incorporating security-by-design in IT project management and involving IT security function
c. Periodic cyber security assessment that extends beyond vulnerability assessments and penetration testing of IT systems. FIs should also carry out regular scenario-based cyber exercises and adversarial attack simulation exercises.
d. Maintain an inventory of devices and implement appropriate security controls on an ongoing basis
Besides incorporating new developments in best practices for technology risk management, the revised Guidelines showcased MAS’ expectation for FIs to be more proactive; not just in managing their internal risk from mere oversight but also to implement processes to conduct periodic and continuous assessment to address technology risks through a structured way of detection, response and recovery from potential cyberattacks. With this said, it is wise for FIs and FinTech to relook at their current TRM setup and start adopting recommendations in the Guidelines commensurate to the level of risk and complexity of the financial services offered and the supporting technologies.