On 18 January 2021, the Monetary Authority of Singapore (“MAS”) issued the revised Technology Risk Management Guidelines (“Guidelines”) to keep pace with emerging technologies and shifts in the cyber threat landscape.
The revised Guidelines focus on addressing technology and cyber risks amid the growing use of cloud technologies, application programming interfaces and rapid software development by financial institutions (“FIs”). The Guidelines reinforce the importance of incorporating security controls as part of FIs’ technology development and delivery lifecycle, as well as in the deployment of emerging technologies.
Roles and responsibilities of board of directors and senior management
The revised Guidelines provide additional guidance on the roles and responsibilities of the board of directors and senior management, including the following:
• Both the board of directors and senior management should have members with the knowledge to understand and manage technology risks, which include risks posed by cyber threats.
• The board of directors and senior management should ensure that a Chief Information Officer and a Chief Information Security Officer, with the requisite experience and expertise, are appointed.
• The board of directors and senior management should ensure that key information technology (“IT”) decisions are made in accordance with the FI’s risk appetite.
Enhanced risk mitigation strategies
The revised Guidelines set out the following enhanced risk mitigation strategies for FIs:
• Cyber threat intelligence and information sharing: To maintain good cyber situation awareness, FIs should establish a process to collect, process and analyse cyber-related information for its relevance and potential impact to the FI’s business and IT environment. In addition, FIs should procure cyber intelligence monitoring services. As cyber threat information sharing is an important component of cyber resilience within the financial ecosystem, FIs should actively participate in cyber threat information-sharing arrangements with trusted parties to share and receive timely and actionable cyber threat information.
• Stress testing of cyber defences: FIs should conduct cyber exercises to stress test their cyber defences by simulating the attack tactics, techniques, and procedures used by real-world attackers.
The Guidelines have also been revised to include additional guidance to manage risks arising from emerging technologies, including the following:
• Virtualisation security: FIs should ensure that security standards are established for all components of a virtualisation solution (e.g. the hypervisor, the host operating system and the guest operating system). Strong access controls should be implemented to restrict administrative access to the hypervisor and host operating system. FIs should also establish policies and standards to manage virtual images and snapshots to protect these assets against unauthorised access or modification.
• Internet of Things: FIs should maintain an inventory of all their Internet of Things (“IoT”) devices, including information such as the networks to which they are connected and their physical locations. In addition, the network that hosts IoT devices should be secured and FIs should implement controls to prevent unauthorised access to IoT devices.
Oversight of arrangements with third-party service providers
In light of FIs’ growing reliance on third-party service providers, the revised Guidelines set out the expectation for FIs to exercise strong oversight of arrangements with third-party service providers. On an ongoing basis, FIs should ensure that third-party service providers employ a high standard of care and diligence in protecting data confidentiality and integrity as well as ensuring system resilience.
Background
The revised Guidelines incorporate feedback received from the public consultation conducted in 2019, MAS’ engagement with the industry, and MAS’ Cyber Security Advisory Panel. MAS issued its response to feedback received on the consultation paper on 18 January 2021.
Further information
Should you have any queries, please do not hesitate to get in touch with your usual contact at Allen & Gledhill or any of the following:
Francis Mok
+65 6890 7786
[email protected]
Karen Tiah
+65 6890 7741
[email protected]