On January 18, 2021, The Monetary Authority of Singapore (MAS) has released a revised version of its TRM guidelines – which was first published in 2013. Back then, MAS-TRM was elaborated to safeguard customers’ sensitive data (personal and financial) on the constant digital transformation and technology disruption in the Financial Industry (FI).
The Technology Risk Management (TRM) guidelines created by the MAS provide best practice standards and a proper framework to help financial institutions comply with their data protection and cybersecurity obligations. The MAS-TRM guidelines must be adopted by financial institutions of all sizes carrying out business in Singapore. It includes banks, e-payment firms, and payment services companies.
In its revised version, MAS-TRM guides financial institutions to establish a robust technology risk governance and maintain IT and cyber resilience to keep pace with emerging technologies and shifts in the cyber threat landscape.
How does MAS-TRM relate to Cybersecurity Awareness Training?
Many cybercriminals aim to attack financial institutions because of the sensitive financial data they deal with. Under the revised TRM rules, the updated guidelines mention security awareness as an enhanced risk mitigation strategy for Financial Institutions, as mentioned:
To conduct cyber exercises to allow Financial Institutions to stress test their cyber defences by simulating the attack tactics, techniques, and procedures used by real-world attackers.
MAS-TRM specifically encourages that Financial Institutions provide security awareness and training to their staff, as mentioned in Section 3.6:
3.6.1 A comprehensive IT security awareness training programme should be established to maintain a high level of awareness among all staff in the FI. The content of the training programme should minimally include information on the prevailing cyber threat landscape and its implications, the FI’s IT security policies and standards, as well as an individual’s responsibility to safeguard information assets. All personnel in the FI should be made aware of the applicable laws, regulations, and guidelines pertaining to the use of, and access to, information assets.
3.6.2 The training programme should be conducted at least annually for all staff, contractors and service providers who have access to the FI’s information assets.
3.6.3 The board of directors should undergo training to raise their awareness on risks associated with the use of technology and enhance their understanding of technology risk management practices.
3.6.4 The training programme should be reviewed periodically to ensure its contents remain current and relevant. The review should take into consideration changes in the FI’s IT security policies, prevalent and emerging risks, and the evolving cyber threat landscape.
MAS-TRM also provides guidelines such as cyber exercises to ensure that financial institutions increase awareness among their stakeholders. For example, Section 13.3.1 states that the financial institutions must conduct regular scenario-based cyber exercises among their staff to validate their response and recovery and communication plans against cyber threats such as social engineering and phishing scams.
How does MAS-TRM relate to Policy Compliance?
MAS-TRM also makes it an obligation on financial institutions to protect confidential information by developing policies. For instance, Section 11.1.1 states that financial institutions must develop comprehensive data loss prevention policies.
Financial institutions must look into the implementation of the following policies to be compliant with the MAS-TRM guidelines:
- Policies on industry standards and best practices to manage technology risks and safeguard information assets.
- Policies to manage information assets according to their security classification or criticality.
- Policies on an individual’s responsibility to safeguard information assets.
- IT security policies such as access control policy.
- Policies, standards, procedures, processes, and activities to manage projects from initiation to closure.
- Policies on data loss prevention policies and measures to detect and prevent unauthorised access, modification, copying, or transmission of its confidential data.
- Policies and standards to manage virtual images and snapshots.
- Mobile device and application management/authentication policies.
- Security policies for virtualization.
How to Mitigate Risks and Comply with the New MAS-TRM Guidelines
Financial Institutions that don’t comply with the MAS-TRM mandatory requirements will be subject to regulatory fines and run the risk of suffering substantial financial and reputational damages caused by cyberattacks.
Complying with MAS-TRM and other regulations is not only a business requirement for those in the financial sector, but it will also help protect and empower your business.
At Right-Hand, our solutions are powered by Artificial Intelligence to help organizations personalize, automate, and gamify employee awareness programs. Our solutions can help any financial institution comply with the MAS-TRM regulations listed above!
We welcome you to learn more about our cybersecurity products to more effectively comply with MAS-TRM standards. Schedule a demo with us and start complying with the new MAS-TRM guidelines today!
DISCLAIMER: The information provided by Right-Hand is for general information purposes only to permit you to learn more about our products and services. It is not intended to provide legal advice or opinions of any kind and may not be used for professional or commercial purposes. The information provided is accurate and useful to the best of our knowledge. However, the information may not be current and is subject to change without notice. No one should act, or refrain from acting, based solely upon the information provided herein without first seeking appropriate legal or other professional advice. No attorney-client or confidential relationship exists or will be formed between you and Right-Hand or any of our representatives.