The guidelines aim to promote the adoption of robust practices for managing technology risks in the financial sector.

By Farhana Sharmeen and Marc Jia Renn Tan

On 18 January 2021, the Monetary Authority of Singapore (the MAS) issued revised guidelines (the Guidelines) to take into account the fast-changing cyber threat landscape and financial institutions’ increased reliance on cloud technologies, application programming interfaces (APIs), and rapid software development. The Guidelines apply to all banks, payment services firms, and brokerage and insurance firms.

The Guidelines, which became effective immediately on the date of issue, aim to support financial institutions by providing them a framework of best practices for overseeing technology risk governance, practices, and controls to address technology and cyber risks. The Guidelines are not meant to be exhaustive or prescriptive, and have incorporated feedback received from the public consultation conducted in 2019.

The following key changes were introduced.

  1. The board of directors and senior management of financial institutions are responsible for implementing an appropriate risk management framework and internal controls. They should be involved in key IT decisions that may change the financial institution’s risk appetite and strategy, including vetting and approving key technology and cybersecurity appointments.
  2. Financial institutions should adopt standards on secure coding, source code review, and application security testing to prevent software bugs and vulnerabilities from being exploited. For example, financial institutions should:
    • Ensure their software developers are trained to apply these standards when developing applications
    • Use a combination of security testing methods to validate the security of the software application
    • Adopt secure software development best practices when using Agile development methods
  3. Financial institutions should vet third parties that have access to their APIs by considering factors such as the nature of their business, cybersecurity posture, industry reputation, and track record. Financial institutions should also establish security standards for developing secure APIs and adopt strong encryption standards and key management controls to secure the transmission of sensitive data.
  4. Financial institutions should ensure IT audits give the board of directors an independent and objective opinion of the adequacy and effectiveness of their risk management and internal controls relative to their existing and emerging technology risks.
  5. Financial institutions should develop comprehensive data loss prevention policies and adopt measures to enhance operational infrastructure security. For example, they should ensure that confidential data is stored in databases, and that encrypting systems and endpoint devices are protected by strong access controls.
  6. Financial institutions should establish a robust process for the timely analysis and sharing of cyber threat intelligence with trusted parties, as well as for conducting regular cyber security assessments exercises to allow financial institutions to stress test cyber defences.

Financial institutions should carefully review the Guidelines and make adjustments based on the scale, nature, and complexity of their business. The Guidelines provide general guidance that expounds on the mandatory requirements set out in the MAS Notice on Technology Risk Management, without intending to replace or override any legislative provisions. The Guidelines reflect the MAS’ expectations for technology risk management and security controls in financial institutions, but are not to be regarded as a statement of the standard of care owed by financial institutions to their clients.