Singapore: MAS revises Technology Risk Management ...

The Monetary Authority of Singapore (MAS) has recently revised its Technology Risk Management Guidelines 2021 after feedback from a 2019 ... Asia-Pacific Singapore:MASrevisesTechnologyRiskManagementGuidelines By StephanieMagnus,KenChia,EuniceTan,YingYiLiewandAlexToh February16,2021 10MinsRead Share ShareonFacebook ShareonTwitter Email Inbrief TheMonetaryAuthorityofSingapore(MAS)hasrecentlyreviseditsTechnologyRiskManagementGuidelines2021(“TRMGuidelines”)1 afterfeedbackfroma2019publicconsultation2 andengagingwithcybersecurityexperts. WhilethereissomeoverlapbetweentheTRMGuidelinesandtheprevious2013editionoftheTRMGuidelines(2013edition),theTRMGuidelineshavebeendevelopedprimarilytokeeppacewiththecurrenttrendsintechnologydevelopmentanddeployment. Contents Recognisingtheworseningenvironmentofcyberthreatswhilefinancialinstitutions(FIs)expandtheiradoptionofemergingtechnologiestoincreasetheiroperationalefficiencyandtodeliverbettercustomerservice,therevisedTRMGuidelinesfocusonthefollowing: BoardandSeniorManagement.IntroductionofadditionalguidanceontherolesandresponsibilitiesoftheBoardofDirectorsandSeniorManagement(BSM) Managementofthirdparties.Introductionofmorestringentassessmentsofthird-partyvendorsandentitiesthataccesstheFI’sITsystems Systemandsoftwaredevelopment.Introductionofmonitoring,testing,reportingandsharingofcyberthreatswithinthefinancialecosystem Wesummariseonanon-exhaustivebasisbelow,threebroadcategoriesofamendmentsandMAS’higherexpectationsintheareasoftechnologyriskgovernanceandsecuritycontrolsinFIs. Summaryofnewprovisions ManyoftheexpectationsintherevisedTRMGuidelinesaretakenfromthe2013edition.Topreventfraudulentfinancialtransactions,exfiltrationofsensitivefinancialdataordisruptionofvitalITsystems,wesummariseandcontrastagainstthe2013edition,below,MAS’enhancedexpectationsandnewguidanceonthefollowing: Establishingsound,robusttechnologyriskgovernanceandoversight Effectivecybersurveillance Securesystemandsoftwaredevelopment Adversarialattacksimulationexercise ManagementofcyberrisksposedbytheemergingtechnologiessuchasInternetofThings(IoT) Thetablebelow… technologyriskgovernance AdditionalguidanceisintroducedsothattheFI’sBSMcomprisesindividualswhoareabletocompetentlyexercisetheiroversightoftheFI’stechnologystrategy,operationsandrisks.Thisguidanceisbroadasthenature,sizeandcomplexityofFIsvary. The2013editionrequiredtheBSMtoaccomplishthefollowing: BeinvolvedinkeyITdecisions HavegeneraloversightofthetechnologyrisksoftheFI Complywithalistofresponsibilities Incontrast,theTRMGuidelinesnowprovideanexpandedlistofrolesandresponsibilitiesfortheBSM,ofwhichtherolesandresponsibilitieshavebeensegregatedfortheboardandseniormanagement,respectively: ThattheBSMshouldensurethatseniormanagersappointedtohaveoversightandtomanagetechnologyandcyberrisk,e.g.,theheadofInformationTechnologyorCIO,headofInformationSecurityorCISO,havetherequisiteexpertiseandexperience ThattheBSMshouldalsoincludememberswithknowledgeoftechnologyandcyberrisks MASalsoexpectsthefollowing: Theboardofdirectorstoapprovetheriskappetiteandrisktolerancestatement TheboardofdirectorsandseniormanagementtoensurekeyITdecisionsaremadeinaccordancewiththeFI’sriskappetite FortheFIwhoseboardofdirectorsisnotbasedinSingapore,theserolesandresponsibilitiesintheTRMGuidelinescanbedelegatedtoandperformedbyamanagementcommitteeorbodybeyondlocalmanagementthatisempoweredtooverseeandsupervisethelocaloffice(e.g.,aregionalriskmanagementcommittee). Althoughnospecificmeasuresareprescribedfortheboardofdirectorsoritsdesignatedcommitteetousetoappraiseitsmanagementperformanceintechnologyriskmanagement,suggestedkeyperformanceindicatorsforseniormanagementincludefactorsthatmeasuretheeffectivenessoftheframeworkandstrategythatareputinplacetoprotecttheavailability,integrityandconfidentialityofdataandsystems. technologyriskoversight Theintentionoftheintroductionofmorestringentassessmentsofthird-partyvendorsandentitiesthataccesstheFI’sITsystemsistoestablishstandardsandproceduresonproperrisktreatmentmeasuresforvendorstotargetaspecifictechnologyrisk.Thisprovidesanadditionallayerofoversightovertechnologyriskmattersatanorganisationallevel. FIsshouldensurethesethird-partyserviceprovidersareabletomeetregulatorystandardsexpectedofthem.Theuseofathird-partyserviceprovidershouldnotresultinadeteriorationofcontrolsandcompromiseofriskmanagement. Wherethe2013editiononlyrequiredFIstobecarefulintheirselectionofvendorsandcontractorsandtoimplementascreeningprocessbeforeengagingvendorsandcontractors,theTRMGuidelinesnowrequireanFItoaccomplishthefollowing: EstablishstandardsandproceduresforvendorevaluationthatispeggedtothecriticalityoftheprojectdeliverablestotheFI,e.g.,byundertakingadetailedanalysisofthevendor’ssoftwaredevelopment,qualityassuranceandsecuritypractices Developawell-definedvettingprocessforassessingthird-partyentitiesthatwishtoaccessanFI’sapplicationprogramminginterface,e.g.,byundertakinganevaluationofthethirdparty’snatureofbusiness,cybersecurityposture,industryreputationandtrackrecord WhiletheTRMGuidelinesadoptthesamemeaningfor“outsourcingarrangement”asthatdefinedintheMASGuidelinesonOutsourcing3,theTRMGuidelinesadditionallycoverthird-partyservicesthatareusedbyFIsbutmaynotconstituteoutsourcingarrangements,suchasITforensics,penetrationtestingandonlinemarketingservices. Thesethird-partyservicesareprovisionedordeliveredusingITormayinvolveconfidentialcustomerinformationelectronicallystoredandprocessedatthethirdparty. FIsareexpectedtoassessthetechnologyrisksposedbythethirdparties’servicesandmitigatetherisksaccordingly. effectivecybersurveillance FIsareexpectedtodeterminethefrequencyofreviewbasedonthecriticalityofthecontrol,process,procedure,systemorservice,andtheirevaluationofthetechnologyandcyberrisks. Minimally,FIsshouldconductareviewwheneverthereisasignificantchangeintheoperatingenvironmentorthreatlandscape. TRMGuidelinesincludesguidanceoncyberexercises,suchas: Penetrationtesting,andRedTeamExercises,ofitsITenvironmenttoobtainanaccurateassessmentoftherobustnessoftheirsecuritymeasures Cyberexercisestovalidateitsresponseandrecovery,aswellascommunicationplansagainstcyberthreats,conductedaspartoftheFI’sbusinesscontinuityplantest Useofacombinationoftoolsandtechniques,eitherautomatedorotherwise,forvulnerabilityassessmentandadversarialattacksimulationexercise securesystemandsoftwaredevelopment Theintroductionofmonitoring,testing,reportingandsharingofcyberthreatswithinthefinancialecosystemisaresultofaclearindicationofaworseningcyberthreatenvironment.Theintentionislargelytoemphasisetheimportanceofsecuritywithinthefinancialecosystem. The2013editionprovidesfor,amongothers,ageneralincidentmanagementplanforadisruptiontothestandarddeliveryofITservices,ageneralcommentthatsimulationsofactualattackscouldbecarriedoutaspartofapenetrationtest,andsuggestionsforFIstoimplementsecuritysolutionsthatwilladequatelyaddressandcontainthreatstoitsITenvironment Incontrast,theTRMGuidelinesrequireFIstodothefollowing: Establishaprocesstocollect,processandanalyzecyber-relatedinformationforitsrelevanceandpotentialimpacttoanFI’sbusinessandITenvironment Procurecyberintelligencemonitoringservices EstablishaprocesstodetectandrespondtomisinformationrelatedtotheFIthatarepropagatedviatheInternet,e.g.,engagingexternalmediamonitoringservicestofacilitatetheevaluationandidentificationofonlinemisinformation Establishasecurityoperationscenteroracquiremanagedsecurityservicestofacilitatecontinuousmonitoringandanalysisofcyberevents Establishacyber-incidentresponseandmanagementplantoisolateandneutralizeacyberthreatandtosecurelyresumeaffectedservices Establishaprocessofcollecting,processingandanalysingcyber-relatedinformation Establishminimalrequirementsofthevulnerabilityassessmentwhichincludethevulnerabilitydiscoveryprocess,anidentificationofweaksecurityconfigurationsandopennetworkportsandtheextentofpenetrationtestingtobecarriedout Carryoutregularscenario-basedcyberexercisestovalidatetheirresponseandrecoveryplan AssoftwaredevelopmentpracticesmayvaryacrossFIs,MASexpectsFIstoassesstheapplicabilityofinternationallyrecognisedindustrybestpracticesonsoftwaredevelopment,adoptthesepractices,andtraintheirdeveloperssothattheyhavetheskillsthatarecommensuratewiththeirjobresponsibilities. However,MASwillstillexpectfromFIsthefollowinginrelationtosoftwareapplicationdevelopmentandmanagement: EnsuretheserviceproviderorvendoremploysahighstandardofcareinperformingtheoutsourcedserviceasiftheservicecontinuedtobeconductedbytheFI Applystandardsandpracticesthatarealignedwiththeprinciplesofsoftwaredevelopmentandmanagementeveniftheycontractoroutsourcesoftwaredevelopmenttothirdparties Performsourcecodereviewandadequatesecuritytestingtoensuresoftwarerobustnessandsecurity performriskassessmentandaddresssoftwareweaknessesthatposesignificantriskstotheconfidentiality,integrityandavailabilityofthesystemanddatabeforeitsimplementation AlignitsDevSecOpsprocesses(thepracticeofautomatingandintegratingIToperations,qualityassuranceandsecuritypracticesinthesoftwaredevelopmentprocess)withitsSystemDevelopmentLifeCycleframeworkandITservicemanagementprocesses adversarialattacksimulationexercise AdversarialattacksimulationexercisestesttheFI’scapabilitytoprevent,detectandrespondtothreatsbysimulatingperpetrators’tactics,techniquesandprocedurestotargetthepeople,processesandtechnologyunderpinningtheFI’sbusinessfunctionsorservices. FIsmayuseacombinationoftoolsandtechniques,eitherautomatedorotherwise,forvulnerabilityassessmentandadversarialattacksimulationexercises,whichmaybecombinedwithintelligence-ledexercisesiftheintelligence-ledexerciseisalsoreferringtoadversarialattacksimulationexercise. managementofcyberrisksposedbytheemergingtechnologies FIsshouldensuretheIoTdevicesthatareconnectedtotheirnetworksaresecure. CommunicationfromIoTdevicesshouldbemonitoredsothatFIscoulddetectandrespondtosuspiciousactivitiesinatimelymanner.InformationthatwillfacilitateFIsintrackingorlocatingtheIoTdevicesshouldbemaintained. IfIoTdevicesdonothave,orhaveminimal,securitycontrols,FIsshouldassesswhethertheyshouldallowsuchdevicestobeconnectedtotheirnetwork,andimplementappropriateprocessesandcontrolstomitigatetherisksarisingfromsuchdevices. Keytakeaways WhiletheTRMGuidelinesareasetofprinciplesor“bestpracticestandards”thatserveasguidanceforFIs(i.e.,thesearenotlegalobligationsonFIsperse),theyprovidefurtherinsightonthemandatoryrequirementssetoutinthefollowingtechnologyriskmanagementnoticesissuedbytheMAS: NoticeonTechnologyRiskManagement4 NoticeonCyberHygiene5 TheseimposelegalobligationsonFIsandcarrypenaltiesfornoncompliance. (PleaseseeourearlierAlert:MonetaryAuthorityofSingaporeIssuesNewRulestoStrengthenCyberResilienceofFinancialIndustry.) Inaddition,asMAS’emphasisisonthedegreeofobservancewiththespiritoftheGuidelines,howwellanFIobservesthe2021GuidelinesmayhaveanimpactontheMAS’overallriskassessmentofthatFI. MASexpectsallFIstotakestepstoensurethatitsbusinessoperationscomplywiththe2021Guidelines,particularlybearinginmindthefollowing: Theneedforaheightenedawarenessofcertaincybersecurityrisks TheneedtoconductastocktakeofinformationassetsoftheFI(evenifitistodoublecheck),aswellastheprocessesandcontrolsthatareinplacetomanagetheseinformationassetsaccordingtotheirsecurityclassificationorcriticality WheretherevisionsappeartobeheavilydirectedatlargerFIs,MASwillallowFIstoadopttheTRMGuidelinesbasedonthenature,sizeandcomplexityoftheirbusiness,andwillalloweachFItodrawupitsownroadmaptoimplementITpracticesthatmeettheexpectationsintheTRMGuidelines. WewouldbehappytoadviseyoufurtheronensuringyourkeytechnologyandcyberriskmanagementprinciplesandbestpracticesmeetMAS’expectations. 1 Publishedat:https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/TRM-Guidelines-18-January-2021.pdf?la=en&hash=607D03D8FD460EBDA89FC2634E25C09B5D0ADDA3 2 SeeMAS’responsetotheConsultationPaperat:https://www.mas.gov.sg/-/media/MAS/News-and-Publications/Consultation-Papers/Response-to-Consultation-Paper_TRM-Guidelines-2021.pdf?la=en&hash=DD65064FAD6D9C9A9BE603162D78675034ED70A2 3 Publishedat:https://www.mas.gov.sg/regulation/guidelines/guidelines-on-outsourcing 4 Publishedat:https://www.mas.gov.sg/regulation/notices/notice-cmg-n02 5 Publishedat:https://www.mas.gov.sg/regulation/notices/notice-cmg-n03 Categories: Asia-Pacific CorporateGovernance CyberSecurity DataPrivacy Singapore Author StephanieMagnus Author KenChia Author EuniceTan EuniceTanisalocalprincipalintheFinancialServicesRegulatoryPracticeGroupofBakerMcKenzie'sSingaporeoffice.Shespecialisesinregulatory,legalandcompliancemattersaffectingthefinancialservicesindustry.ShehasbeenconsistentlyrecognisedinLegal500AsiaPacificastheNextGenerationLawyerforFinancialServicesRegulatory,whereshewas"singledoutforbeingsmartandhavingtheabilitytonavigatetheSingaporeregulatorylandscape"and"isresponsive,pleasantandwillingtoexploredifferentparameters".EunicegraduatedfromKing'sCollege,Londonin2004.ShewasadmittedasBarrister-at-LawofEngland&Walesin2005andwascalledtotheSingaporeBarin2007. Author YingYiLiew YingYiisalocalprincipalintheFinancialServicesPracticeGroupofBakerMcKenzieWong&LeowinSingapore.Shefocusesonregulatoryandcomplianceissuesinthefinancialservicessector. Author AlexToh AlexTohisaseniorassociateinBakerMcKenzie'sSingaporeoffice. RelatedPosts Philippines:Presidentapproveslawremovingforeignequityrestrictionsonpublicservicecompanies April11,2022 Australia:IncreasedpenaltiesforFranchisingCode April11,2022 Singapore:Pilotcallforapplicationtobuild“green”datacentres April10,2022 Archives Archives SelectMonth April2022 March2022 February2022 January2022 December2021 November2021 October2021 September2021 August2021 July2021 June2021 May2021 April2021 March2021 February2021 January2021 December2020 November2020 October2020 September2020 August2020 July2020 June2020 May2020 April2020 March2020 February2020 January2020 December2019 November2019 October2019 September2019 August2019 July2019 June2019 May2019 April2019 March2019 February2019 January2019 December2018 November2018 October2018 September2018 August2018 July2018 June2018 May2018 April2018 March2018 February2018 January2018 December2017 November2017 October2017 September2017 August2017 July2017 June2017 May2017 April2017 March2017 February2017 January2017 December2016 November2016 October2016 September2016 August2016 July2016 June2016 May2016 April2016 March2016 February2016 January2016 December2015 November2015 October2015 September2015 August2015 July2015 June2015 May2015 April2015 March2015 February2015 January2015 December2014 November2014 October2014 September2014 August2014 July2014 June2014 May2014 April2014 October2013