To understand the MAS TRM, we must remember that financial institutions are a significant target for cyberattacks due to the sheer value of information and money flows these institutions manage on behalf of the clients.
The increased use of internet banking, facilitated by technology and social factors (such as COVID-19), increased the attack surface, extending from corporate systems to customer endpoints.
Financial institutions are running to keep up with higher defense standards, set by their own business protection needs, and in significant part because of governmental requirements created to protect consumers. In the specific case of Singapore, these guidelines include the MAS TRM.
What is the MAS TRM?
The Monetary Authority of Singapore (MAS) issued the Technology Risk Management (TRM) guidelines on June 21st, 2013. Its motivation was the rising complexity of information technology and its increasing reliance on financial institutions. Since the technology grows exponentially and the financial institutions are using it to support their operations, the MAS decided to release comprehensive guidelines to help the organizations manage their growth while also keeping a lookout on the cybersecurity end of things.
The MAS TRM guidelines apply to every single financial institution (FI) that the MAS is in charge of regulating. These include larger organizations like banks as well as smaller firms such as venture capital managers.
Although the MAS released the original guidelines in 2013, it recently made amendments and released a MAS TRM revised version in 2021. According to the official document, the revised guidelines set out principles and best practices for firms in the financial sector to guide them in,
Establishing sound and robust Technology Risk Governance and oversight
The senior management and higher executives play a massive role in the oversight and management of technology risk. They should play a pivotal role in cultivating strong risk culture and establishing a sound and robust technology oversight policy.
Maintaining Cyber Resilience
Strong Cyber Resilience is essential to develop trust and confidence in financial services. The document talks about creating a defense-in-depth approach (basically adding multiple layers of security) to strengthen the cybersecurity systems. Continuously updating the established IT systems is also required from the FIs to preserve the data’s confidentiality and integrity.
What are the recent changes to MAS TRM?
According to Fintech News, there is a considerable difference between the original and amended MAS TRM guidelines, especially on the increased emphasis on cybersecurity and defense. This shift is noticeable in the word ‘cyber.’ In the 2013 version, it appeared four times, along with cyberattack. In the new version, however, the word appears 74 times and is used in tandem with words like “risk,” “threat,” “resilience,” “security,” “criminals,” “incidents,” “events,” “intelligence,” “exercises” and “range.”
Besides the above, here are other changes that made to the guidelines.
Increased emphasis on the board of directors and senior management playing a role in managing technology risks
The amended guidelines call for the upper management to play a more active role in ensuring the development of the organization’s MAS TRM guidelines. It advises the organizations to confirm that there is a CISO or some other position with similar responsibilities. In contrast, the original regulations required the upper management to have an overview of technology-related matters simply.
Tech vendors’ assessment
The 2021 guidelines extend the 2013 guidelines to ensure that all the third parties critical to delivering finished products must also adhere to MAS TRM guidelines. The 2013 version only required the FI to consider the risk of outsourcing a section of their operation. It is a significant step up in the security landscape for the FI as by acting according to the 2021 guidelines, they can ensure safe operations with minimal cybersecurity risks.
Information sharing and cyber threat monitoring
The guidelines require the FIs to have a process whereby they can collect, process, and analyze information related to cybersecurity. This information should also be supported through proper cyber intelligence monitoring and shared with trusted parties. The purpose of this, according to the guidelines, is to create a robust financial networking system.
Cyberattack simulations and techniques
With the recent rise in cyber attacks like phishing emails and ransomware attacks, MAS emphasized the importance of running regular cyber attack-related scenarios to gauge the competence of the FI’s defense. The regulation explicitly mentions that the activity should extend to senior management to emphasize that anyone is susceptible to these attacks, and everyone should prepare. As a comparison, the 2013 version only asks the FI to do some penetration and vulnerability training.
Cyber incident response and management
The MAS TRM guidelines emphasize the importance of having a system whereby FIs can identify, isolate and neutralize a cyber threat to resume any affected services. What this means is that the FIs need to work on their existing systems consistently. The need for FIs to establish a process to investigate and identify the security or control deficiencies and lay down the communication, coordination, and response procedures to address such threats.