MAS TRM Guidelines
What is MAS TRM?
In January 2021, the Monetary Authority of Singapore (MAS) published its Technology Risk Management (TRM) guidelines for 2021.
The MAS TRM guidelines apply to all financial institutions (FI) that the Monetary Authority of Singapore regulates. These guidelines are of particular interest to CIOs, CTOs, and any person of authority, focusing on individual accountability and conduct.
These guidelines set out risk management principles and best practices for financial institutions to establish sound and robust technology risk governance and oversight and to maintain cyber resilience.
Financial institutions are a significant target for cyberattacks due to the value of information that flows through these institutions and the money that these institutions manage on behalf of their clients.
The ease of internet banking, facilitated by technology and social factors, increases the risk of cyber attacks on financial institutions.
Some key points of MAS TRM
- The purpose of MAS TRM is to provide general guidance and not to replace or override any legislative provisions.
- Both the board of directors and senior management should have knowledge to understand and manage technology risks and cyber threats.
- Senior management should set the tone from the top and cultivate a strong culture of technology risk awareness and management at all levels of staff within financial institutions.
- Management should establish a technology risk management framework and strategy and ensure that this framework is implemented and maintained.
- If financial institutions outsource to third party services, they should assess and manage exposure to technology risks that may affect the confidentiality, integrity and availability of the IT systems and data of the third party service.
- A comprehensive IT security awareness training program should be established to maintain a high level of awareness among all staff in financial institutions.
- Financial institutions should have a risk management framework that includes risk identification, risk assessment, risk treatment and risk monitoring, review and reporting.
- To minimize bugs and vulnerabilities in its software, the financial institution should adopt standards on secure coding, source code review and application security testing.