Financial institutions will be regulated based on a revised set of best practices governing cyber hygiene, cyber resilience and data governance.

To keep pace with emerging technologies and the heightened cybersecurity threats circulating globally, the Monetary Authority of Singapore (MAS) has revised its Technology Risk Management Guidelines for financial institutions (FIs) operating in the country.

The revised set of financial industry best practices focuses on addressing technology and cyber risks in an environment of growing use of cloud technologies, application programming interfaces and rapid software development.

A clear indication of a worsening cyber-threat environment comes from the recent spate of cyberattacks on supply chains that targeted multiple IT service providers through the exploitation of widely-used network management software. The revised guidelines are therefore designed to enhance risk mitigation strategies for FIs in two ways:

  • to establish a robust process for the timely analysis and sharing of cyber-threat intelligence within the financial ecosystem.
  • to stress test FI cyber defenses by recommending regularly cybersecurity exercises that simulate the attack tactics, techniques, and procedures used by real-world attackers.

Cyber hygiene and tech risk management

Incorporating feedback received from public consultation conducted in 2019 and inputs from Monetary Authority of Singapore (MAS) Cyber Security Advisory Panel (CSAP) the guidelines provide additional guidance on the roles and responsibilities of FIs’ boards of directors and senior management:

  • all boards and senior management should ensure that a Chief Information Officer and a Chief Information Security Officer with the requisite experience and expertise are appointed and accountable for managing technology and cyber risks.
  • all boards should include members with the relevant knowledge to provide effective oversight of technology and cyber risks.

Also, FIs’ growing reliance on third-party service providers will require strong oversight of arrangements with such service providers to ensure system resilience as well as maintain data confidentiality and integrity.

According to Tan Yeow Seng, Chief Cyber Security Officer, MAS: “Technology now underpins most aspects of financial services. Not only are financial institutions adopting new technologies, they are also increasingly reliant on third party service providers. The revised guidelines set out MAS’ higher expectations in the areas of technology risk governance and security controls in financial institutions.”

MAS expects FIs to observe the guidelines as this will be considered in MAS’ risk assessment of the FIs.