Singapore: More Stringent Requirements under the MAS Technology Risk Management Guidelines
Regulated financial and insurances businesses in Singapore (FIs) must take additional compliance steps when managing their IT infrastructure and vendors, under the updated Technology Risk Management Guidelines recently introduced by the Monetary Authority of Singapore (MAS).
In particular, there is a greater emphasis on managing cyber risk and on closer regulation of IT vendors. The update to the Guidelines comes at a time when cyber threats and cyber attacks are becoming increasingly common.
Key updates to the Guidelines include the following:
Extended Roles and Responsibilities of the Board of Directors and Senior Management
The Board of Directors and senior management of FIs now have significantly greater responsibility for managing technology risk.
Among other things, the Guidelines recommend appointing a Chief Information Officer and a Chief Information Security Officer to manage the FI’s technology and cyber risks. In addition, senior management and the Board should include members who have the requisite skillset and experience for managing and overseeing the FI’s technology strategy and risks.
Assessments of Technology Vendors
Although due diligence and monitoring of technology vendors’ security practices were required under the earlier iteration of the Guidelines, the updated Guidelines provide more stringent guidance on the assessment that FIs should carry out on their vendors. Among other things, FIs should:
- establish standards and procedures for vendor evaluation and selection which should be commensurate with the criticality of the project deliverables to the FIs;
- carry out a detailed analysis of the vendor’s software development, quality assurance and security practices; and
- assess robustness of the vendor’s software development and quality assurance practices.
Risk Management for New Technologies
The updated Guidelines introduce new requirements on relatively advanced technologies (for example, third party access of APIs).
It is recommended that FIs adopt a variety of security measures before permitting third parties to access APIs, including:
- implementing a well-defined vetting process for assessing third parties who can connect to the FIs via APIs;
- establishing security standards for designing and developing secure APIs;
- and performing robust security screening and testing of the APIs.
The updated Guidelines also address security risk management in relation to technologies such as virtualisation of machines and Internet of Things devices.
Cyber Security Operations
To address the changing cyber security landscape, the Guidelines now also provide specific information on the steps FIs must take to proactively defend against cybersecurity risks.
In particular, the Guidelines provide that FIs should procure cyber intelligence monitoring services and establish a cyber incident response and management plan to isolate and neutralise cyber threats.
In view of the update to the Guidelines, FIs should:
- Review and update their existing processes for contracting with vendors, and implement more detailed assessments for vendors where necessary;
- evaluate the types of technologies they adopt and assess if more stringent security measures should be adopted; and
- review and update their cyber security / cyber incident plan. If you have any further enquiries or concerns about your cyber security measures in Singapore, please contact us.
DLA Piper Singapore Pte. Ltd. is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with licensed Singapore law practices where necessary.