The Monetary Authority of Singapore (MAS) has revised its Technology Risk Management guidelines amid heightened cyber risk.
According to the regulator, the revised guidelines focus on addressing technology and cyber risks as financial institutions (FIs) increasingly employ the likes of cloud technologies, application programming interfaces, and rapid software development. These guidelines reinforce the importance of incorporating security controls as part of FIs’ technology development and delivery lifecycle, as well as in the deployment of emerging technologies.
The revision comes after a spate of cyberattacks on supply chains, targeting multiple IT service providers through the exploitation of widely-used network management software. This, MAS said, is a clear indication of a worsening cyber threat environment.
The guidelines aim to direct FIs to establish a robust process for the timely analysis and sharing of cyber threat intelligence within the financial ecosystem, and conduct cyber exercises, which allow FIs to stress test their cyber defences by simulating a real-world attack.
With FI’s becoming more reliant on third-party service providers, the guidelines also set out the expectation for FIs to exercise strong oversight of arrangements with these providers, to ensure system resilience as well as maintain data confidentiality and integrity.
FIs are also encouraged to appoint a qualified chief information officer and chief information security officer, and to select appoint members of their board with relevant knowledge of cyber risk management.
“Technology now underpins most aspects of financial services,” said Tan Yeow Seng, chief cyber security officer, MAS. “Not only are financial institutions adopting new technologies, they are also increasingly reliant on third party service providers. The revised guidelines set out MAS’ higher expectations in the areas of technology risk governance and security controls in financial institutions.”