MAS Technology Risk Management (TRM) Guidelines 2021

The MAS TRM Guidelines 2021 set out regulations for Financial Institutions in Singapore focused on cyber resilience, software development and cloud. Home Solutions OurWork Insights AboutPragma Careers ContactUs VictorChin 4monthsago Shareonlinkedin Shareontwitter Shareonfacebook Shareonemail Shareonreddit MASTechnologyRiskManagement(TRM)Guidelines2021:TheCompleteGuideforFinancialServices ThelatestMASTechnologyRiskManagementGuidelines(TRMG)wasreleasedonthe18thofJanuary2021,8yearssincethelastmajorreleasein2013.Inthisarticle,webreakdownkeychangesthatFinancialInstitutionsneedtoknowtocomplywiththenewGuidelines. WhatistheMASTRMGuidelines2021about? TheMASTRMGuidelines2021setoutregulationsforFinancialInstitutionsinSingaporefocusedoncyberresilience,softwaredevelopmentandcloud.ItisanodtothedigitaltransformationshappeningamongstFinancialInstitutionsaroundtheworld.    TraditionalFinancialInstitutions(FIs)arenowpressuredtoevolveliketechnologycompanies.JPMorganChasechairmanandCEO,JamieDimonnotedFinTechsbeinganenormouscompetitivethreattobanksinhisannualshareholderletterreleasedthisyear2021. JPMorganChaseAnnualShareholderLetter2021 Tokeepup,traditionalFIseitherdevelopcomplexfinancialservicesandapplicationsfortheirconsumersorintegrateserviceswithFinTechs.Eitherway,therearetechnologyrisksinvolved. Whatarethetop10keyupdatesinMASTRM2021? TheMASTRMGuidelines2021stressesthefollowingareas,whichwedetailmoreinthispost:  1.IncreasedRoleofBoardandSeniorManagement 2.ITProjectManagement 3.SoftwareApplicationDevelopment andManagement 4.RemoteAccessManagement 5.BringYourOwnDevice(BYOD) 6.DataandInfrastructureSecurity 7.CybersecurityOperations 8.CyberExercises 9.PenetrationTesting 10.OnlineFinancialServices WhoneedstocomplywiththeMASTRMGuidelines? TheGuidelinesapplytoalllicencedfinancialinstitutionsandtheirserviceproviders,suchas: FundingandInvestmentRelatedCompanies ApprovedCISTrusteeDealinginCapitalMarketsProducts ProductFinancingProvidingCustodialServicesLicensedFundManagementCompany RegisteredFundManagementCompany VentureCapitalFundManagementCompanyCorporateFinanceAdvisoryREITManagementCreditRatingAgencySecuritiesCrowdfunding LicensedTrustCompany  InsuranceCompaniesandReinsurers  DirectInsurer(Life) DirectInsurer(General)DirectInsurer(Composite)Reinsurer(Life) Reinsurer(General)Reinsurer(Composite)CaptiveInsurer Lloyd’sAsiaSchemeFinancialHoldingCompany(Insurance)GeneralInsuranceAgents FinancingCompanies&Banks  FinanceCompanyFullBank(Branch)FullBank(LocallyIncorporated) MerchantBank(Branch)MerchantBank(LocallyIncorporated) WholesaleBank(Branch)WholesaleBank(LocallyIncorporated) FinancialHoldingCompany Credit&PaymentsRelatedCompanies&Banks  Credit/ChargeCardIssuerDesignatedPaymentSystemOperatorDesignatedPaymentSystemSettlementInstitutionCreditandChargeCardLicenseeMajorPaymentInstitutionStandardPaymentInstitutionMoney-changingLicensee MarketOperators&,FinancialExchange MarketsandExchangesClearingHouseTradeRepositoryBenchmarkAdministrator/SubmitterCentralSecuritiesDepositoryHoldingCompanyofExchangeorClearingHouse Reference:MonetaryAuthorityofSingapore  Note:FIsneedtoconductgapanalysistodetermineanynon-compliancetotheMASTRMrequirements.Anynon-complianceasaresultofimplementationdifficultiesneedstobedocumentedandexplainedwithmitigatingcontrolsplaced. Onthird-partyrisks,therearealsoexpectationsforserviceprovidersofFIstohavesecureandresilientsystems.WewillexplainmoreaboutthatinExpectationsforServiceProviders. Whatarethetop10keyupdatesinMASTRM2021? 1.IncreasedRoleofBoardandSeniorManagement AllmembersoftheBoardofDirectors(BoD)havedirectresponsibilityforoversightoftechnologyrisk.Itisawake-upcallforsomeinstitutionswhoseeITasjustacostfunction.  Somekeyrequirementstonoteareasfollows:BoDandSeniorManagementmusthavememberswithknowledgetounderstandandmanagetechnologyrisks.FIsshouldappointaChiefTechnologyOfficerandaChiefSecurityOfficer(orequivalent,forsmallerFIs).BoDshouldhavegovernanceandoversightovertechnologyrisks,includingmakingkeyITdecisions.FIsshouldhaveatechnologyriskmanagementstrategyinplace.BoDshouldundergosecurityawarenesstraining. Fortechnologyandinformationsecurityleaders,MASTRMGuidelines2021presentsanewwindowofopportunitytoengageyourhighermanagementontechnologyandsecuritymatters.ItisessentialtocommunicatewhattheFI’stechnologyrisksare,andmoreimportantly,howitimpactsthebusiness.Itisequallyimportanttopresentaplanofactiontomanagetheserisks. "AllFinancialInstitutionsshouldmovefromasiloedperspectiveandviewtechnologyasanintegralpartofthebusiness." Technologycomeswithcostsandrisks,butitisalsoabusinessenablerthatcanprovidevalueandefficiencyifaproperstrategyisinplace.Itisaculturechangeonthepartofhighermanagementtohaveanopenmindwhenitcomestounderstandingtechnologyopportunities,challenges,andrisks. Thechallengefortechnologyandsecurityprofessionalsistodeliveratechnologyriskmanagementstrategythatclearlyexplainstheimpactonbusinessobjectivesforhighermanagementtounderstandandappreciate. IncreasedRoleofBoardandSeniorManagementUpdatetheBoDChartertoincludetechnologyrisk-relatedresponsibilities.HaveBoDmember/swhoareexperiencedintechnologyriskmanagement.AppointseniortechnologyandsecurityrelatedrolesintheFIwhohavetoreportlinestotheBoDandSeniorManagement.Establishagovernanceprocesstoenableeffectivereportingoftechnologymatterstohighermanagement.ConductsecurityawarenesstrainingforBoDandSeniorManagement—astrategythatclearlyexplainstheimpactonbusinessobjectivesforhighermanagementtounderstandandappreciate. Whatarethetop10keyupdatesinMASTRM2021? 2.ITProjectManagement AnotherkeyfocusisthegovernanceofITprojectsundertakenbyFIs.Thisincludescreatingaprojectcommitteeforlargeandcomplexprojects,clearrequirementsforconductingvendorduediligence,Security-by-Designandaqualitymanagementprocess. Firstandforemost,seniormanagementisexpectedtobeinvolvedinlargeandcomplexITprojectsthatimpactthebusiness.Thisistoensurethatallbusinessandsecurityprojectrisksareadequatelyaddressed. RequirementsforvendorduediligencearemademoreexplicitinMASTRMGuidelines2021.FIsshouldestablishstandardsandproceduresforassessingthesecurityofthevendoranditsapplications.Dependingonthecriticalityoftheapplication,theGuidelinessuggestthattheFIshouldhaveaccesstothesourcecodeofthethird-partysoftware. ThereisalsoanemphasisonSecurity-by-Designthatisinlinewiththeindustrytrendofshiftingsecurityleftofthesoftwaredevelopmentlifecycle.ASecurity-by-Designapproachstreamlinesthedevelopmentofasecureapplication,avoidingthecomplicationsthatnormallyarisefromhavingsecurityasanafterthought. ITProjectManagementEstablishstandardsandproceduresforvendorduediligence.Designsecurearchitectureforsystemsandapplications.Developvendorduediligenceprocessandprocedures.Establishaprojectsteeringcommitteeforlargeandcomplexprojectsthatinvolveskeystakeholdersandseniormanagement. Whatarethetop10keyupdatesinMASTRM2021? 3.SoftwareApplicationDevelopmentandManagement ThesecuredevelopmentofApplicationProgrammingInterfaces(APIs)isthekeyfocushere.MASrecognisesthatfinancialserviceshavebecomeaninterconnectedecosystem.FIswillincreasinglycollaborateandprovidecomplexfinancialservicestoconsumersbyconnectingtoeachothers’systemsusingAPIs. APIsshouldbesufficientlysecureforthefintechecosystemtoflourish.AlthoughAPIsecurityisacomplextopicthatoverlapswithothertechnologydomains,theTRMGuidelines2021sufficientlyexpoundsonkeypoints.Forexample,thegovernanceofthird-partyAPIaccess, securitystandardsforAPIdevelopmentanddesign,strongencryption,APIsecuritytestingduringpre-production,real-timemonitoringofAPIcallsandavailability.AnewrequirementhasbeenintroducedthatrequiresFIstovetcustomerswhowanttoconsumetheirAPIs. SoftwareApplicationDevelopmentandManagementDesign,establishandenforceAPIstandardsduringthesoftwaredevelopmentlifecycle.Developsecuresoftwaredevelopmentlifecycle.Establishpoliciesandprocedurestogovernandmanagethird-partyaccesstoAPIs.EstablishsegregationofdutiesforDevSecOps.Establishsecurecodingpractices,sourcecodereviewsandapplicationsecuritytesting,especiallyifpractisingAgile.Manageend-userapplicationsriskusingwhitelists. Whatarethetop10keyupdatesinMASTRM2021? 4.RemoteAccessManagement TheMASTRMGuidelines2021providesfoundationalregulationsforremoteaccessmanagementthatfocusonsecureauthentication,aswellasthesecurityofthedevicesthatareusedtoremotelyaccessaFI’sinformationassets.  Strongauthenticationreferstotheuseofmulti-factorauthentication(MFA)toaddonanotherlayerofprotectiontoensuretheidentityoftheentityrequestingaccesstotheFI’sITenvironment.  Industry-acceptedencryptionalgorithmsshouldbeusedtosecurecommunicationchannels,safeguardingtheintegrityofanydataorAPIcalls.TheGuidelineshasanentirechapteroutliningsecuritypracticesoncryptography. FIsshouldalsoensurethatthedevicesusedtoaccesstheirinformationassetshavebeenhardenedandadequatelyprotectedbeforeaccessisgranted.Forexample,devicesshouldhaveendpointprotectionsolutionsinstalledaswellasbesecurelyconfigured.Suchpracticesallowsecureremoteconnectionsbyprotectingphysicalandnetworkinfrastructuresupportingtheremoteconnections. RemoteAccessManagementEstablishprocessesandprocedurestohardendevices.Developasecureidentityandaccessmanagement(IAM)model.Implementendpointprotectionsolutionstoprotectandmonitordevices.Useindustry-acceptedencryptionalgorithmstoprotectcommunicationchannels.Implementmulti-factorauthentication. Whatarethetop10keyupdatesinMASTRM2021? 5.BringYourOwnDevice(BYOD) BringYourOwnDevice(BYOD)referstoemployeesusingpersonaldevicestoaccessbusinessinformationandsystems.BYODisadouble-edgedsword.ItpermitsamobileanddynamicworkforcebutalsointroducessecurityrisksthatshouldbeaddressedbyFIs.  Therefore,theGuidelinesrecommendthatFIsrevisetheirBYODpoliciesandprocedureswithsecuritycontrolssuchasMobileDeviceManagement(MDM)orvirtualisationsolutions. MobileDeviceManagement(MDM)solutionscanbeusedtomanageandcontrolmobiledevicesandhavefeaturessuchasstorageencryption,remotewipe,andbaselinesecuritymonitoring.Virtualisationsolutionsallowend-userstoremotelyaccesstheFI’sITsystemsandapplicationsviamobiledevicesthroughavirtualenvironmentorsandbox.WewillexplainmoreaboutVirtualisationinthenextsection. BringYourOwnDevice(BYOD)ImplementMDMand/orvirtualisationsolutions.EstablishBYODpoliciesandproceduresaroundhowpersonaldevicescanbeusedforbusinesspurposes. Whatarethetop10keyupdatesinMASTRM2021? 6.DataandInfrastructureSecurity ThenewGuidelinesemphasiseendpointprotection,withMASrecommendinghardeningofendpointsinlinewithindustrybestpractices,suchasCenterforInternetSecurity(CIS)Benchmarks. Thisincludessecureconfigurationsaswellastheimplementationandmaintenanceofendpointprotectionsolutions. ThenetworksecuritysectionrecommendstheuseofNetworkIntrusionProtectionSystemsandNetworkAccessControl(NACs)todetectandblockmalicioustrafficalongwithmoretraditionalnetworksecuritydeviceslikefirewalls.Thesedevicesshouldconstantlybekeptupdated. LikeBYOD,theMASTRMGuidelines2021introducedVirtualisationTechnologyforthefirsttime.Appropriatepoliciesandprocedurestomanagevirtualmachinesandsnapshotsshouldbeimplemented.Accesstohypervisorsandsystemhostinghypervisorsshouldberestricted. TheGuidelinesalsobroughtupsandboxedbrowsingandIoTSecurity.Sandboxedbrowsingmeans“isolatinginternetwebbrowsingactivitiesfromitsendpointdevices”.Inshort,itprotectsyourcomputerfromtheharmfuleffectsofbrowsing. AsforIoTSecurity,IoTdevicesneedtobehardened,andIoTnetworksneedtobesegregatedfromnetworksthathosttheFI’sdataandsystems.  DataandInfrastructureSecurityReviewyoursecurityarchitectureandensureNetworkIntrusionPreventionSystems(NIPS)andNetworkAccessControl(NAC)aresetupeffectively.ReviewyourITenvironmentsandsecurityarchitecturetodefineclearzonesthatpreventattackersmovement.Evaluatetheinternetbrowsersinuseandsandboxbrowsingforimplementation.Ensurepolicy,standardsandaccesscontrolsareimplementedforthelifecycleofvirtualimages,snapshotsandtheuseofhypervisors.SegregateIoTdevicesfromyourcoreoperationsandsubjectthemtosecuritytestingandsecuritycontrols(e.g.accesscontrolandsecuritymonitoring). Whatarethetop10keyupdatesinMASTRM2021? 7.CybersecurityOperations FIsarehighlyencouragedtoprocurecyberintelligencemonitoringservicesandparticipateincyberthreatinformation-sharingarrangements. Threatintelligenceincludes,butisnotlimitedto,servicesthatkeeptheFIsupdatedonthelatestmalware,systemvulnerabilitiesaswellasTactics,TechniquesandProcedures(TTPs)usedbyAdvancedPersistentThreat(APT)groupstargetingFIs. FIsshouldalsoparticipateinorsubscribetocyberintelligencesharingplatformslikeFS-ISAC,IT-SAC,SingCert,orCVE.SuchactivitieshelptoimprovetheresilienceofFIsagainstcyberattacks.  Otherrecommendationsincludethecapabilitytodetectandrespondtomisinformationpropagatedviatheinternetaswellasestablishingcyberincidentresponsecapabilities. CybersecurityOperationsSubscribetoorparticipateinISACsandCertsaswellasothercommercialalternatives.Developthreatandvulnerabilitymanagementprograms.Procurethreatintelligencemonitoringservices.Developincidentresponsecapabilities.Establishpoliciesandprocedurestodealwithmisinformationpropagatedviatheinternet. Whatarethetop10keyupdatesinMASTRM2021? 8.CyberExercises Anotherareatoexploreistoparticipateinscenario-basedcyberexercisesbasedonthreatintelligence,includingsocialengineering,table-topexercises,andadversarialattacksimulationexercises.SuchexercisesallowFIstotesttheirdetectionandresponsecapabilitiesaswellastheirdecision-makingduringarealcrisis. CyberExercisesConductscenario-basedcyberexercisesinvolvingkeystakeholdersandseniormanagement.Conductadversarialattacksimulationexercises.  Whatarethetop10keyupdatesinMASTRM2021? 9.PenetrationTesting MASTRMGuidelines2021callsforpenetrationtesting(PT)ofinternet-facingsystemstobeconductedatleastannuallyorafteramajorchange.Additionally,itrecommendsthatpenetrationtestingbeconductedinproductionenvironments. Morenotably,asasignofchangingtimes,theGuidelinesendorsebugbountyprogramsasanacceptablemethodtocomplementanFI’svulnerabilityandpenetrationtestingprogram. PenetrationTestingReviewthescopeofpenetrationtestingtoincludeinternalandproductionsystems.Conductpenetrationtestsannuallyorafteramajorchange. Whatarethetop10keyupdatesinMASTRM2021? 10.OnlineFinancialServices OnlineFinancialServicesincludenewrequirementstoactivelymonitorphishingcampaignsagainsttheusersofyourservices,encryption,digitalsignatures,applicationsandboxing,devicerootprotectionandmobileapplicationsecurity. TheGuidelinesalsocoverimplementingCustomerAuthenticationandTransactionSigningrequirementssuchasMFA,transactionsigning,adaptiveauthentication,time-basedOTPs,biometrics,softtokens,sessionprotection,maker-checkerfunctions,andsecurecredentialstorage Next,let’stalkaboutreal-timefraudmonitoringsystems.Whilethisisacommonpracticeinsomeareassuchascreditcardtransactions,theMASTRMGuidelines2021hasexpandedthescopetoincludeanyonlinetransaction.Thisisasignificantnewrequirementforservicesthatdon’talreadydothis. OnlineFinancialServicesReviewthescopeofpenetrationtestingtoincludeinternalandproductionsystems.Conductpenetrationtestsannuallyorafteramajorchange. OtherAreasofEmphasis NowthatwearedonewiththeTop10KeyFocusAreas,wecantouchuponotherareasthatshouldalsobeaddressed. Establishaproperriskmanagementframework ThenameoftheGuidelinesimpliesthatRiskManagementisakeyconcept.MASencouragesarisk-basedapproachintheadoptionoftheTRMGuidelineswhenassessingcompliance.Inshort,FIsshouldhaveamechanisminplacetoidentify,assess,treatandmonitortheirrisks. ImplementYourPoliciesandKeepTrackofCompliance PoliciesandproceduresshouldnotbeamerepieceofadocumentbutshouldratherdrivetheconsistentimplementationofcontrolstoprotecttheFI’sassetsandhelpachievebusinessobjectives. InsureYourselfAgainstCyberRisk MASnowrequiresFIstotaketechnologyriskinsurance.Financialprotectionaside,insurancegivesFIsaccesstoapanelofexpertssuchaslawyersandforensicspecialiststohelpinrespondingtocyberincidentsmoreeffectively. KnowYourAssetsandAssignAccountability FIsshouldstartwithunderstandingtheirassets,wheretheyare,andwhohasaccesstothem.Itisalsoimportanttoassesstheirimpactontheorganisationsuchthatbetterdecisionscanbemadeontherightlevelofprotection.Assetsmusthaveassignedownerswhoareresponsibleforensuringthatassetsareproperlymanagedthroughouttheirlifecycle. ConductBackgroundChecks EstablishaResilientArchitectureandTestforRecovery BackgroundscreeningofpersonnelwithaccesstoFI’ssystemsanddata,includingthirdparties,isneededtosupporthiringdecisionsbasedoncandidatesuitability,andtoprotectagainstoperationalrisks. FIsshouldalsodocumentrecoveryplansandtesttheseperiodicallyusingplausibledisruptionscenarios.Finally,FIsshouldaimtooperatefromarecoveryoralternatesetupforanextendedperiodforamorerelevanttest. WhataretheMASTRMGuidelines2021expectationsforserviceproviders? FinancialInstitutionsareincreasinglyreliantonserviceproviderstoperformbusiness-criticalactivities,whichintroducesrisk.Therefore,TRMGuidelines2021setoutseveralexpectationsforserviceproviderstosecurelyandreliablysupportFIs. StringentDueDiligence FIsareexpectedtoconductstringentduediligenceonserviceproviderstoensurethattheydonotposeanyunnecessaryriskstotheFIs.Theseduediligenceexercisesareholisticandincludemanyaspectsoftechnologyriskmanagement.Serviceprovidersshouldalsoconsiderundertakingindustry-recognisedsecuritycompliancecertificationsandattestationslikeISO27001andSOC2TypeIItohelpensuretheyhavetherightcontrolframeworkandcandemonstrablymeetthisduediligence. CompetencyandBackgroundChecks Serviceprovidersarealsoexpectedtoprovethattheiremployeesarecompetentandsufficientlyskilledforthetask.Thiscanbefulfilledbyprovidingprofessionaldevelopmentopportunitiesliketrainingandcertifications.Backgroundchecksshouldalsobeconductedonthestaffofserviceproviders.Thisreducesanyrisksrelatedtoinsiderthreats. DisasterRecoveryCapability Topromotearesilientfinancialservicesecosystem,FIsandtheirserviceprovidersshouldhaveadvanceddisasterrecoverycapabilities.Serviceprovidersshouldhavedisasterrecoverypoliciesandproceduresinplace.DisasterrecoverytestingandarrangementsshouldbecarriedoutatregularintervalstoensurethattargetRTO(RecoveryTimeObjective)andRPO(RecoveryPointObjectives)aremet.Additionally,disasterrecoverytestingshouldbeacoordinatedeffortbetweenserviceprovidersandtheFItotroubleshootanypotentialproblemsduringanactualdisasterrecoverysituation. SystemSecurity ServiceprovidersmanaginganysystemsonbehalfofFIsshouldensurethatthesesystemsareappropriatelyprotectedandadheretotheFI’ssystemsecuritystandards.Theserviceprovidershouldconductsystemhardeningactivitiestomeettheapplicablesecuritystandards.Additionally,reputableendpointprotectionsolutionsshouldalsobeinstalled.TheseactivitieshelpsecurethesoftwaresecuritysupplychainasallsystemswithaccesstotheFI’sITenvironmentaswellassystemsmanagedbyserviceprovidersareappropriatelysecured. InterconnectedEcosystem TheMASalsoexpectsFIsandserviceproviderstoworkclosertogetherforamoreresilientfinancialservicesecosystem.ServiceprovidersareexpectedtoundergosecurityawarenesstrainingprogramsconductedbytheFIsaswellasbepartoftheFI’scyberexercises,ifapplicable.Suchpartnershipwillfosteramoredynamicandcloserworkingrelationshipwhichwillbecrucialintimesofcrisis. Takeaways WithtechnologyplayingsuchacrucialroleinFinancialInstitutions,seniormanagementandtheBoardofDirectorsneedtobemoreinvolvedandmustunderstandtechnologyriskintheever-changingcyberthreatlandscape. ThereisanincreasedemphasisonsecuredevelopmentpracticesandAPIsecurity.Thisincludesa‘shift-left’wherethesecurityrequirementsofanyITprojectshouldbeconsideredatthebeginningofthedesignphase. Adaptingtofast-changingtimes,BugBountyprogramsarenowalegitimatecomplementtoPenetrationTestingprogramsinFIs. Securitycontrolsandcybertoolingarealsomoreprescriptive.TheemphasisontoolsandpracticesimprovestheresilienceofFIsinSingaporebyimprovingtheircapabilitiestodetect,respondandrecoverfromcyberattacks. ViewtheoriginalMASTRMGuidelines2021here. NextSteps DownloadourchecklistforFinancialInstitutionstostaycompliantwiththeMASTRMGuidelines2021. Alternatively,speaktousifyouneedhelpwithcomplyingwithMASTRM.Bookanintroductorycallwithoneofourconsultants. Bookanobligation-freeconsultationhere. AbouttheAuthor NewInsights:ReadtheMASTRM2021-CompleteGuideforFinancialServices LearnMore Thisisdefaulttextfornotificationbar Learnmore