MAS Revises Technology Risk Management Guidelines for ...

With the rising numbers and scale of cyberattacks, the Monetary Authority of Singapore (MAS) revised its technology risk management (TRM) ... SOLUTIONS FINDANEXPERT INSIGHTS ABOUTUS CAREERS Valuation Valuationofbusinesses,assetsandalternativeinvestmentsforfinancialreporting,taxandotherpurposes. ComplianceandRegulation End-to-endgovernance,advisoryandmonitorshipsolutionstodetect,mitigateandremediateoperationalsecurity,legal,complianceandregulatoryrisk. CorporateFinanceandRestructuring Comprehensiveinvestmentbanking,corporatefinance,restructuringandinsolvencyservicestoinvestors,assetmanagers,companiesandlenders. CyberRisk Incidentresponse,digitalforensics,breachnotification,manageddetectionservices,penetrationtesting,cyberassessmentsandadvisory. Environmental,SocialandGovernance Solutionsincludepoliciesandprocedures,screeningandduediligence,disclosuresandreportingandinvestigations,valuecreation,andmonitoring. InvestigationsandDisputes World-wideexpertservicesandtech-enabledadvisorythroughallstagesofdiligence,forensicinvestigation,litigationandtestimony. BusinessServices Expertproviderofcomplexadministrativesolutionsforcapitaleventsglobally.Ourservicesincludeclaimsandnoticingadministration,debtrestructuringandliabilitymanagementservices,agencyandtrusteeservicesandmore. FINDANEXPERT FindanExpert Leadership BoardofDirectors KrollInstitute BYTOPIC ComplianceandRegulation CostofCapital CyberRisk Fraud Governance M&A Tax Valuation SeeAllInsights BYCATEGORY CaseStudies Events Publications Webcasts,VideosandPodcasts ABOUTUS Overview BoardofDirectors FindanExpert Leadership Locations PressRoom OURIMPACT OurCommitments KrollCharitableFoundation KrollInstitute Values CAREERS WhyKroll? Testimonials Students Explorejobopportunities Search SOLUTIONS FINDANEXPERT INSIGHTS ABOUTUS CAREERS MainMenu Valuation Valuationofbusinesses,assetsandalternativeinvestmentsforfinancialreporting,taxandotherpurposes. ChevronForwardCircle SeeSolution ComplianceandRegulation End-to-endgovernance,advisoryandmonitorshipsolutionstodetect,mitigateandremediateoperationalsecurity,legal,complianceandregulatoryrisk. ChevronForwardCircle SeeSolution CorporateFinanceandRestructuring Comprehensiveinvestmentbanking,corporatefinance,restructuringandinsolvencyservicestoinvestors,assetmanagers,companiesandlenders. ChevronForwardCircle SeeSolution CyberRisk Incidentresponse,digitalforensics,breachnotification,manageddetectionservices,penetrationtesting,cyberassessmentsandadvisory. ChevronForwardCircle SeeSolution Environmental,SocialandGovernance Solutionsincludepoliciesandprocedures,screeningandduediligence,disclosuresandreportingandinvestigations,valuecreation,andmonitoring. ChevronForwardCircle SeeSolution InvestigationsandDisputes World-wideexpertservicesandtech-enabledadvisorythroughallstagesofdiligence,forensicinvestigation,litigationandtestimony. ChevronForwardCircle SeeSolution BusinessServices Expertproviderofcomplexadministrativesolutionsforcapitaleventsglobally.Ourservicesincludeclaimsandnoticingadministration,debtrestructuringandliabilitymanagementservices,agencyandtrusteeservicesandmore. ChevronForwardCircle SeeSolution MainMenu FINDANEXPERT FindanExpert Leadership BoardofDirectors KrollInstitute MainMenu BYTOPIC ComplianceandRegulation CostofCapital CyberRisk Fraud Governance M&A Tax Valuation SeeAllInsights BYCATEGORY CaseStudies Events Publications Webcasts,VideosandPodcasts MainMenu ABOUTUS Overview BoardofDirectors FindanExpert Leadership Locations PressRoom OURIMPACT OurCommitments KrollCharitableFoundation KrollInstitute Values MainMenu CAREERS WhyKroll? Testimonials Students Explorejobopportunities SendMessage Contact Close SendMessage Thankyou Oneofourexpertswillcontactyoushortly. Sorry,somethingwentwrong:(Pleasetryagainlater! Pleasetryagainlater! Aboutyou SelectTypeofFirm - abank acompany alawfirm aPE/assetmanager other Contactdetails Firstname * Lastname * SelectRegion * - Company * Phonenumber Email * SelectIssue * - avaluation expertservicesanddisputes atransaction compliance tax other Question Iwouldliketoreceiveperiodicnews,reports,andinvitationsfromKroll,aDuff&Phelps. Submit Chevron DemystifyingtheMAS’2021TechnologyRiskManagementGuidelines Compliance SigninorCreateanaccounttobookmarkthispage Clickheretobookmarkthispage Clickheretoremovebookmark Withtherisingnumbersandscaleofcyberattacks,theMonetaryAuthorityofSingapore(MAS)reviseditstechnologyriskmanagement(TRM)guidelinesonJanuary18,2021.TheTRMguidelinesapplytoallFIsthatMASregulates,rangingfromlargeoneslikebanks,insurersandexchangestosmalloneslikeventurecapitalmanagersandpaymentsservicesfirms.  TheTRMguidelinesaddressincreasedrelianceonemergingtechnologieslikecloudcomputing,applicationprogramminginterfaces(APIs)andrapidsoftwaredevelopmentandthefast-changingcyberthreatlandscape.Weviewthe2021versionasa“bestpractice framework”forFIsoutlininggovernancepracticesandinternalcontrolstopre-emptandaddresscurrentrisksthatadoptmostoftheprior2013versionasabase.  Beyondaddressingnewtechnologiesdeployedtoday,the2021guidelinessignificantlyemphasizetheneedforcybersecurityanddefence.Toillustrate,inthe2013guidelines,wefoundthattheword“cyber”appearedfourtimes,alwaysinthecontextof“cyberattack.”Reflectinghowmuchtheconceptofcyberriskhasdevelopedinsignificanceandsophisticationovereightyears,inthe2021version,“cyber”appears74timesandisusedtoexpressahostofphenomenalike“risk,”“threat,”“resilience,”“security,”“criminals,”“incidents,”“events,”“intelligence,”“exercises”and“range.” Herearesomeofourkeytakeawaysfromthe2021versionoftheTRMguidelines:  MoreFocusontheBoardofDirectorsandSeniorManagementBeingAbletoUnderstandandManageTechnologyRisk,IncludingCyberRisk Boththe2013and2021guidelinesrequiretheboardofdirectorsandseniormanagement(BSM)toensurethataTRMframeworkisestablishedandmaintainedandoverseethesame.The2021guidelinesaddthattheBSMshouldensuretheappointmentsofaChiefInformationOfficer(oritsequivalent)andaChiefInformationSecurityOfficer(oritsequivalent)withrequisiteexperienceandexpertise.TheMASdoesallowformodificationofthisrequirementinsmallfirmswithalimitedheadcount.However,thefactthatthe2021guidelinesalsostatethattheboardshouldbetrainedontechnologyriskandTRMpracticesclearlyshowsthatMASwouldliketoseeBSMkeepupwithrapiddevelopmentsintechnologyrisk.  ExtendingTRMtoAllThirdParties,NotJustOutsourcedServiceProviders  Whilethe2013versionconsideredthird-partyITriskfromoutsourcing,the2021versionrecognizesthatanFI’suseofservicesofanythirdpartydeliveredusingITorinvolvingathirdpartystoringorelectronicallyprocessingconfidentialorsensitivecustomerinformationposesriskifthethirdpartyhasasystemfailureorsecuritybreach.The2021versionthusasksFIstoassessandmanageallthird-partyITrisksbeforeenteringintoacontractualagreementorpartnershipandensuresthatthethirdpartyemploysahighstandardofcareanddiligenceconcerningdataconfidentialityandsystemresilience. NewSectiononSoftwareApplicationDevelopmentandManagement AcknowledgingthatFIsareincreasinglydevelopingin-housesoftware,the2021versionhasasectionoutliningstandardsthatFIsshouldadoptonsecurecoding,sourcecodereviewandapplicationsecuritytesting.ThesectionalsoaddressesanFI’suseofthird-partyandopen-sourcesoftwarecodesandthedevelopmentandprovisionofapplicationprogramminginterfaces(APIs).  EnhancedDataandInfrastructureSecurityinLightofNewTechnologies Whilethe2013versionalreadysetoutmeasurestoguardagainstcyberattacks,the2021revisionhasenhancementsthataddressprevailingphenomenalikeBringYourOwnDevice(BYOD),virtualizationandtheInternetofThings.  NewSectiononCyberSecurityOperations  The2021guidelinesaskFIstocollectandprocessinformationoncyberevents,threatintelligenceandsystemvulnerabilitiesandassessthepotentialimpacttotheFI’sbusinessandITenvironment.FIsshouldalsoactivelyexchangetimelyandactionablecyberthreatinformationwithtrustedpartieswhilebeingalivetorelevantmisinformation.FIsshouldalsoestablishasecurityoperationscenteroracquiremanagedsecurityservicestomonitorforattemptedoractualcyberattacksandestablishacyberincidentresponseandmanagementplantoresolvecyberthreatsandresumeaffectedservices.  AddedMeasurestoAssesstheFirm’sCyberSecurity The2013versionalreadyprescribedvulnerabilityassessmentandpenetrationtesting.The2021versionaddsthatFIsshouldcarryoutregularscenario-basedexercisessuchassocialengineering,tabletoporcyberrangeexercisestochecktheFI’sresponse,recoveryandcommunicationplansagainstcyberthreats.TheFIsshouldalsoperformanadversarialattacksimulationexercise.ThisprovidesamorerealisticpictureofanFI’scapabilitytoprevent,detectandrespondtorealadversariesbysimulatingthetactics,techniquesandproceduresofreal-worldattackerstotargetpeople,processesandtechnologyunderpinningtheFI’scriticalbusinessfunctionsorservices.The2021guidelinesalsosuggestwhatremediationshouldbeestablishedtotrackandresolveissuesidentifiedfromcybersecurityassessmentsorexercises.    Appropriatelyimplemented,therevisedguidelineswillbolsterthepreparednessofSingapore’sfinancialecosystemandplacefirmsonfirmerfootingastheynavigateapost-COVID-19climate.  ThisarticlewasoriginallypublishedonFintechNewsSingapore. DemystifyingtheMAS’2021TechnologyRiskManagementGuidelines 2021-04-05T00:00:00.0000000 /en/insights/publications/financial-compliance-regulation/mas-technology-risk-management-guidelines-2021 /-/media/assets/images/publications/featured-images/2021/mas-technology-risk-management-guidelines.jpg publication {4D5F3272-D961-43F9-A68A-1C9C7C28832E} {716B6C5E-3F2A-4FBA-9FA6-B584B4317233} {EA96BAAD-3012-4781-8A01-EC81851ED196} {B1FF17CC-D957-458C-A381-D10935C635C8} {0D8F5BE3-DF68-470D-ADFF-536F0505BF20} {44969BA1-47AB-4BE6-BC0C-6EE0232385DF} {2F9D4938-E5F0-4F9C-9A20-C4A5DCF79130} {000DE5BE-6355-408E-85E6-1C296A187DF5} Facebook ArrowLeft ArrowRight Calendar(Dark) Path2 Close SendMessage DownloadvCard Filter Location DuffAndPhelps Phone Triangle Tick Twitter Youtube Twitter LinkedIn SendMessage Contactus Print Print FinancialServicesComplianceandRegulation End-to-endgovernance,advisoryandmonitorshipsolutionstodetect,mitigate,driveefficienciesandremediateoperational,legal,complianceandregulatoryrisk. FinancialServicesComplianceandRegulation SingaporeRegulation ComprehensiveMASlicensingsupport. SingaporeRegulation MASLicensing ComprehensiveMASlicensingsupport. MASLicensing CyberGovernanceandRisk ManagecyberriskgovernanceissueswithKroll’sdefensiblesecuritystrategyframework. CyberGovernanceandRisk SystemAssessmentsandTesting Solutionstoidentify,evaluateandprioritizeriskstopeople,data,operationsandtechnology. SystemAssessmentsandTesting IncidentResponseandLitigationSupport Eliteinvestigatorsproviderapid,expertresponsestosupportanycyberincidentorlitigation. IncidentResponseandLitigationSupport CyberRiskRetainers Secureatruecyberriskretainerwithelitedigitalforensicsandincidentresponsecapabilities. CyberRiskRetainers ComplianceRisk RussiaSanctionsUsherInNewAgeOfEconomicWarfare ComplianceRisk Valuation TheRoleofValuationinSoutheastAsia’sTechnologyIndustry Valuation PublicHealthandSafety TimeforCompaniestoReconsiderHealthintheEraofPandemics PublicHealthandSafety Cyber NavigatingaHeightenedCyberThreatEnvironment Cyber Arrow-Left Arrow-Right