MAS revises Technology Risk Management Guidelines to ...

The revised Guidelines focus on addressing technology and cyber risks amid the growing use of cloud technologies, application programming ... Skiptonavigation Skiptomaincontent(accesskeys) Skiptofooter(accesskeyx) KnowledgeHighlights 1February2021 On18January2021,theMonetaryAuthorityofSingapore(“MAS”)issuedtherevisedTechnologyRiskManagementGuidelines(“Guidelines”)tokeeppacewithemergingtechnologiesandshiftsinthecyberthreatlandscape. TherevisedGuidelinesfocusonaddressingtechnologyandcyberrisksamidthegrowinguseofcloudtechnologies,applicationprogramminginterfacesandrapidsoftwaredevelopmentbyfinancialinstitutions(“FIs”).TheGuidelinesreinforcetheimportanceofincorporatingsecuritycontrolsaspartofFIs’technologydevelopmentanddeliverylifecycle,aswellasinthedeploymentofemergingtechnologies. Rolesandresponsibilitiesofboardofdirectorsandseniormanagement TherevisedGuidelinesprovideadditionalguidanceontherolesandresponsibilitiesoftheboardofdirectorsandseniormanagement,includingthefollowing: Boththeboardofdirectorsandseniormanagementshouldhavememberswiththeknowledgetounderstandandmanagetechnologyrisks,whichincluderisksposedbycyberthreats. TheboardofdirectorsandseniormanagementshouldensurethataChiefInformationOfficerandaChiefInformationSecurityOfficer,withtherequisiteexperienceandexpertise,areappointed. Theboardofdirectorsandseniormanagementshouldensurethatkeyinformationtechnology(“IT”)decisionsaremadeinaccordancewiththeFI’sriskappetite. Enhancedriskmitigationstrategies TherevisedGuidelinessetoutthefollowingenhancedriskmitigationstrategiesforFIs: Cyberthreatintelligenceandinformationsharing:Tomaintaingoodcybersituationawareness,FIsshouldestablishaprocesstocollect,processandanalysecyber-relatedinformationforitsrelevanceandpotentialimpacttotheFI’sbusinessandITenvironment.Inaddition,FIsshouldprocurecyberintelligencemonitoringservices.Ascyberthreatinformationsharingisanimportantcomponentofcyberresiliencewithinthefinancialecosystem,FIsshouldactivelyparticipateincyberthreatinformation-sharingarrangementswithtrustedpartiestoshareandreceivetimelyandactionablecyberthreatinformation. Stresstestingofcyberdefences:FIsshouldconductcyberexercisestostresstesttheircyberdefencesbysimulatingtheattacktactics,techniques,andproceduresusedbyreal-worldattackers. TheGuidelineshavealsobeenrevisedtoincludeadditionalguidancetomanagerisksarisingfromemergingtechnologies,includingthefollowing: Virtualisationsecurity:FIsshouldensurethatsecuritystandardsareestablishedforallcomponentsofavirtualisationsolution(e.g.thehypervisor,thehostoperatingsystemandtheguestoperatingsystem).Strongaccesscontrolsshouldbeimplementedtorestrictadministrativeaccesstothehypervisorandhostoperatingsystem.FIsshouldalsoestablishpoliciesandstandardstomanagevirtualimagesandsnapshotstoprotecttheseassetsagainstunauthorisedaccessormodification. InternetofThings:FIsshouldmaintainaninventoryofalltheirInternetofThings(“IoT”)devices,includinginformationsuchasthenetworkstowhichtheyareconnectedandtheirphysicallocations.Inaddition,thenetworkthathostsIoTdevicesshouldbesecuredandFIsshouldimplementcontrolstopreventunauthorisedaccesstoIoTdevices. Oversightofarrangementswiththird-partyserviceproviders InlightofFIs’growingrelianceonthird-partyserviceproviders,therevisedGuidelinessetouttheexpectationforFIstoexercisestrongoversightofarrangementswiththird-partyserviceproviders.Onanongoingbasis,FIsshouldensurethatthird-partyserviceprovidersemployahighstandardofcareanddiligenceinprotectingdataconfidentialityandintegrityaswellasensuringsystemresilience. Background TherevisedGuidelinesincorporatefeedbackreceivedfromthepublicconsultationconductedin2019,MAS’engagementwiththeindustry,andMAS’CyberSecurityAdvisoryPanel.MASissueditsresponsetofeedbackreceivedontheconsultationpaperon18January2021. Referencematerials ThefollowingmaterialsareavailableontheMASwebsitewww.mas.gov.sg: Pressrelease:MASenhancesguidelinestocombatheightenedcyberrisks TechnologyRiskManagementGuidelines ResponsetofeedbackreceivedonconsultationpaperonProposedRevisionstoTechnologyRiskManagementGuidelines AnnexestoResponsetofeedbackonconsultationpaperonProposedRevisionstoTechnologyRiskManagementGuidelines   Allen&GledhillRegulatory&Compliance Toassistourclientswithcompliancematters,ourconsultancyarm,Allen&GledhillRegulatory&Compliance,providesarangeofservicesandsolutions.Shouldyouhaveanyqueriesrelatingtocomplianceissuesarisingoutofthesedevelopments,pleasecontact: [email protected] Shareviaemail ShareviaLinkedin Perspectives All A&GNews CSRUpdates KnowledgeHighlights Authoredby: AdrianAng Singapore +6568907710 [email protected] FrancisMok Singapore +6568907786 [email protected] CatherineNeo Singapore +6568907195 [email protected] KarenTiah Singapore +6568907741 [email protected] More KnowledgeHighlights 7April2022 IPOSannouncesnewIPOSDigitalHubfrom4May2022,processchangesandfeeupdatesfrom29April2022 Readmore KnowledgeHighlights 30March2022 LegalBulletinMarch2022 Readmore Close Thissiteusescookiesandbyusingthesiteyouareconsentingtothis.Findoutwhyweusecookiesandhowtomanageyoursettings.Moreaboutcookies