Recognising the worsening environment of cyber threats while financial institutions (FIs) expand their adoption of emerging technologies to increase their operational efficiency and to deliver better customer service, the revised TRM Guidelines focus on the following:
- Board and Senior Management. Introduction of additional guidance on the roles and responsibilities of the Board of Directors and Senior Management (BSM)
- Management of third parties. Introduction of more stringent assessments of third-party vendors and entities that access the FI’s IT systems
- System and software development. Introduction of monitoring, testing, reporting and sharing of cyber threats within the financial ecosystem
We summarise on a non-exhaustive basis below, three broad categories of amendments and MAS’ higher expectations in the areas of technology risk governance and security controls in FIs.
Summary of new provisions
Many of the expectations in the revised TRM Guidelines are taken from the 2013 edition. To prevent fraudulent financial transactions, exfiltration of sensitive financial data or disruption of vital IT systems, we summarise and contrast against the 2013 edition, below, MAS’ enhanced expectations and new guidance on the following:
- Establishing sound, robust technology risk governance and oversight
- Effective cyber surveillance
- Secure system and software development
- Adversarial attack simulation exercise
- Management of cyber risks posed by the emerging technologies such as Internet of Things (IoT)
The table below…
|technology risk governance
||Additional guidance is introduced so that the FI’s BSM comprises individuals who are able to competently exercise their oversight of the FI’s technology strategy, operations and risks. This guidance is broad as the nature, size and complexity of FIs vary.
The 2013 edition required the BSM to accomplish the following:
- Be involved in key IT decisions
- Have general oversight of the technology risks of the FI
- Comply with a list of responsibilities
In contrast, the TRM Guidelines now provide an expanded list of roles and responsibilities for the BSM, of which the roles and responsibilities have been segregated for the board and senior management, respectively:
- That the BSM should ensure that senior managers appointed to have oversight and to manage technology and cyber risk, e.g., the head of Information Technology or CIO, head of Information Security or CISO, have the requisite expertise and experience
- That the BSM should also include members with knowledge of technology and cyber risks
MAS also expects the following:
- The board of directors to approve the risk appetite and risk tolerance statement
- The board of directors and senior management to ensure key IT decisions are made in accordance with the FI’s risk appetite
For the FI whose board of directors is not based in Singapore, these roles and responsibilities in the TRM Guidelines can be delegated to and performed by a management committee or body beyond local management that is empowered to oversee and supervise the local office (e.g., a regional risk management committee).
Although no specific measures are prescribed for the board of directors or its designated committee to use to appraise its management performance in technology risk management, suggested key performance indicators for senior management include factors that measure the effectiveness of the framework and strategy that are put in place to protect the availability, integrity and confidentiality of data and systems.
|technology risk oversight
||The intention of the introduction of more stringent assessments of third-party vendors and entities that access the FI’s IT systems is to establish standards and procedures on proper risk treatment measures for vendors to target a specific technology risk. This provides an additional layer of oversight over technology risk matters at an organisational level.
FIs should ensure these third-party service providers are able to meet regulatory standards expected of them. The use of a third-party service provider should not result in a deterioration of controls and compromise of risk management.
Where the 2013 edition only required FIs to be careful in their selection of vendors and contractors and to implement a screening process before engaging vendors and contractors, the TRM Guidelines now require an FI to accomplish the following:
- Establish standards and procedures for vendor evaluation that is pegged to the criticality of the project deliverables to the FI, e.g., by undertaking a detailed analysis of the vendor’s software development, quality assurance and security practices
- Develop a well-defined vetting process for assessing third-party entities that wish to access an FI’s application programming interface, e.g., by undertaking an evaluation of the third party’s nature of business, cyber security posture, industry reputation and track record
While the TRM Guidelines adopt the same meaning for “outsourcing arrangement” as that defined in the MAS Guidelines on Outsourcing3, the TRM Guidelines additionally cover third-party services that are used by FIs but may not constitute outsourcing arrangements, such as IT forensics, penetration testing and online marketing services.
These third-party services are provisioned or delivered using IT or may involve confidential customer information electronically stored and processed at the third party.
FIs are expected to assess the technology risks posed by the third parties’ services and mitigate the risks accordingly.
|effective cyber surveillance
||FIs are expected to determine the frequency of review based on the criticality of the control, process, procedure, system or service, and their evaluation of the technology and cyber risks.
Minimally, FIs should conduct a review whenever there is a significant change in the operating environment or threat landscape.
TRM Guidelines includes guidance on cyber exercises, such as:
- Penetration testing, and Red Team Exercises, of its IT environment to obtain an accurate assessment of the robustness of their security measures
- Cyber exercises to validate its response and recovery, as well as communication plans against cyber threats, conducted as part of the FI’s business continuity plan test
- Use of a combination of tools and techniques, either automated or otherwise, for vulnerability assessment and adversarial attack simulation exercise
|secure system and software development
||The introduction of monitoring, testing, reporting and sharing of cyber threats within the financial ecosystem is a result of a clear indication of a worsening cyber threat environment. The intention is largely to emphasise the importance of security within the financial ecosystem.
The 2013 edition provides for, among others, a general incident management plan for a disruption to the standard delivery of IT services, a general comment that simulations of actual attacks could be carried out as part of a penetration test, and suggestions for FIs to implement security solutions that will adequately address and contain threats to its IT environment
In contrast, the TRM Guidelines require FIs to do the following:
- Establish a process to collect, process and analyze cyber-related information for its relevance and potential impact to an FI’s business and IT environment
- Procure cyber intelligence monitoring services
- Establish a process to detect and respond to misinformation related to the FI that are propagated via the Internet, e.g., engaging external media monitoring services to facilitate the evaluation and identification of online misinformation
- Establish a security operations center or acquire managed security services to facilitate continuous monitoring and analysis of cyber events
- Establish a cyber-incident response and management plan to isolate and neutralize a cyber threat and to securely resume affected services
- Establish a process of collecting, processing and analysing cyber- related information
- Establish minimal requirements of the vulnerability assessment which include the vulnerability discovery process, an identification of weak security configurations and open network ports and the extent of penetration testing to be carried out
- Carry out regular scenario-based cyber exercises to validate their response and recovery plan
As software development practices may vary across FIs, MAS expects FIs to assess the applicability of internationally recognised industry best practices on software development, adopt these practices, and train their developers so that they have the skills that are commensurate with their job responsibilities.
However, MAS will still expect from FIs the following in relation to software application development and management:
- Ensure the service provider or vendor employs a high standard of care in performing the outsourced service as if the service continued to be conducted by the FI
- Apply standards and practices that are aligned with the principles of software development and management even if they contract or outsource software development to third parties
- Perform source code review and adequate security testing to ensure software robustness and security
- perform risk assessment and address software weaknesses that pose significant risks to the confidentiality, integrity and availability of the system and data before its implementation
- Align its DevSecOps processes (the practice of automating and integrating IT operations, quality assurance and security practices in the software development process) with its System Development Life Cycle framework and IT service management processes
|adversarial attack simulation exercise
||Adversarial attack simulation exercises test the FI’s capability to prevent, detect and respond to threats by simulating perpetrators’ tactics, techniques and procedures to target the people, processes and technology underpinning the FI’s business functions or services.
FIs may use a combination of tools and techniques, either automated or otherwise, for vulnerability assessment and adversarial attack simulation exercises, which may be combined with intelligence-led exercises if the intelligence-led exercise is also referring to adversarial attack simulation exercise.
|management of cyber risks posed by the emerging technologies
||FIs should ensure the IoT devices that are connected to their networks are secure.
Communication from IoT devices should be monitored so that FIs could detect and respond to suspicious activities in a timely manner. Information that will facilitate FIs in tracking or locating the IoT devices should be maintained.
If IoT devices do not have, or have minimal, security controls, FIs should assess whether they should allow such devices to be connected to their network, and implement appropriate processes and controls to mitigate the risks arising from such devices.
While the TRM Guidelines are a set of principles or “best practice standards” that serve as guidance for FIs (i.e., these are not legal obligations on FIs per se), they provide further insight on the mandatory requirements set out in the following technology risk management notices issued by the MAS:
These impose legal obligations on FIs and carry penalties for noncompliance.
(Please see our earlier Alert: Monetary Authority of Singapore Issues New Rules to Strengthen Cyber Resilience of Financial Industry.)
In addition, as MAS’ emphasis is on the degree of observance with the spirit of the Guidelines, how well an FI observes the 2021 Guidelines may have an impact on the MAS’ overall risk assessment of that FI.
MAS expects all FIs to take steps to ensure that its business operations comply with the 2021 Guidelines, particularly bearing in mind the following:
- The need for a heightened awareness of certain cyber security risks
- The need to conduct a stock take of information assets of the FI (even if it is to double check), as well as the processes and controls that are in place to manage these information assets according to their security classification or criticality
Where the revisions appear to be heavily directed at larger FIs, MAS will allow FIs to adopt the TRM Guidelines based on the nature, size and complexity of their business, and will allow each FI to draw up its own roadmap to implement IT practices that meet the expectations in the TRM Guidelines.
We would be happy to advise you further on ensuring your key technology and cyber risk management principles and best practices meet MAS’ expectations.
1 Published at : https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/TRM-Guidelines-18-January-2021.pdf?la=en&hash=607D03D8FD460EBDA89FC2634E25C09B5D0ADDA3
2 See MAS’ response to the Consultation Paper at: https://www.mas.gov.sg/-/media/MAS/News-and-Publications/Consultation-Papers/Response-to-Consultation-Paper_TRM-Guidelines-2021.pdf?la=en&hash=DD65064FAD6D9C9A9BE603162D78675034ED70A2
3 Published at: https://www.mas.gov.sg/regulation/guidelines/guidelines-on-outsourcing
4 Published at: https://www.mas.gov.sg/regulation/notices/notice-cmg-n02
5 Published at: https://www.mas.gov.sg/regulation/notices/notice-cmg-n03