The Monetary Authority of Singapore (“MAS”) recently revised its Technology Risk Management Guidelines (the “Guidelines”) which are to be observed and followed by all financial institutions (“FIs”) that are regulated by the MAS. The latest round of revisions was made in response to the fast-emerging technology as well as heightened cyber threat risks. This may also be seen as timely and necessary against the backdrop of recent cyber attacks in relation to supply chains, where widely-used network management software became a target and a victim of such attacks.
MAS reminds all FIs that security controls are of utmost importance and must be observed as part of the FIs’ development and deployment of technology in their operations. This should be done from the ground-up within the organisation by implementing security-by-design and rigorous testing of all IT systems. FIs should also conduct periodic reviews using a risk management framework to identify, assess, remedy and monitor risk areas.
Where outsourcing arrangements are concerned, the revised Guidelines note that FIs may outsource certain IT services which could involve a third-party service provider processing sensitive or confidential customer information. The guidelines require FIs to assess the technology risks the third party is exposed to and the security of its systems before engaging them. Additionally, it expects FIs to continue to protect customer data even when it is held by third parties by having robust oversight of all arrangements with third party service providers so as to ensure system resilience, as well as data confidentiality and integrity.
Apart from outsourcing IT services, FIs may develop their own software which could incorporate IT tools developed by third parties. The Guidelines set out best practices for developing software with a focus on security and reliability while recommending comprehensive testing and vetting of any third party elements incorporated into the IT tool, especially if the tool relates to the transfer of customer data.
The revised Guidelines also provide guidance and expectations on the roles and responsibilities of the board of directors and senior management in ensuring effective security controls and risk management practices are applied within the FI’s systems. This means that the board of FIs should include members who are equipped to provide effective oversight of technology and cyber risks, and should appoint individuals to roles directly responsible for security within the organisation.
In summary, the Guidelines are helpful in highlighting common areas where cyber security is an issue and the key steps FIs can take to address them. A key takeaway is that this development will impact not only FIs, but their IT service providers as well. The Guidelines make it clear that FIs can no longer focus solely on securing their own systems and must now also manage the potential technology risks of their IT service providers as well. Moving forward we can expect to see FIs requiring increasing levels of security and accountability from IT service providers.