MAS Technology Risk Management (TRM) Guidelines 2021: The Complete Guide for Financial Services
The latest MAS Technology Risk Management Guidelines (TRMG) was released on the 18th of January 2021, 8 years since the last major release in 2013. In this article, we break down key changes that Financial Institutions need to know to comply with the new Guidelines.
What is the MAS TRM Guidelines 2021 about?
The MAS TRM Guidelines 2021 set out regulations for Financial Institutions in Singapore focused on cyber resilience, software development and cloud. It is a nod to the digital transformations happening amongst Financial Institutions around the world.
Traditional Financial Institutions (FIs) are now pressured to evolve like technology companies. JPMorgan Chase chairman and CEO, Jamie Dimon noted FinTechs being an enormous competitive threat to banks in his annual shareholder letter released this year 2021.
To keep up, traditional FIs either develop complex financial services and applications for their consumers or integrate services with FinTechs. Either way, there are technology risks involved.
What are the top 10 key updates in MAS TRM 2021?
The MAS TRM Guidelines 2021 stresses the following areas, which we detail more in this post:
- Increased Role of Board and Senior Management
- IT Project Management
- Software Application Development and Management
- Remote Access Management
- Bring Your Own Device (BYOD)
- Data and Infrastructure Security
- Cybersecurity Operations
- Cyber Exercises
- Penetration Testing
- Online Financial Services
Who needs to comply with the MAS TRM Guidelines?
The Guidelines apply to all licenced financial institutions and their service providers, such as:
Funding and Investment Related Companies
- Approved CIS Trustee
- Dealing in Capital
- Markets Products
- Product Financing
- Providing Custodial Services
- Licensed Fund Management Company
- Registered Fund Management Company
- Venture Capital Fund Management Company
- Corporate Finance Advisory
- REIT Management
- Credit Rating Agency
- Securities Crowdfunding
- Licensed Trust Company
Insurance Companies and Reinsurers
- Direct Insurer (Life)
- Direct Insurer (General)
- Direct Insurer (Composite)
- Reinsurer (Life)
- Reinsurer (General)
- Reinsurer (Composite)
- Captive Insurer
- Lloyd's Asia Scheme
- Financial Holding Company (Insurance)
- General Insurance Agents
Financing Companies & Banks
- Finance Company
- Full Bank (Branch)
- Full Bank (Locally Incorporated)
- Merchant Bank (Branch)
- Merchant Bank (Locally Incorporated)
- Wholesale Bank (Branch)
- Wholesale Bank (Locally Incorporated)
- Financial Holding Company
Credit & Payments Related Companies & Banks
- Credit/Charge Card Issuer
- Designated Payment System Operator
- Designated Payment System Settlement Institution
- Credit and Charge Card Licensee
- Major Payment Institution
- Standard Payment Institution
- Money-changing Licensee
Market Operators &, Financial Exchange
- Markets and Exchanges
- Clearing House
- Trade Repository
- Benchmark Administrator/Submitter
- Central Securities Depository
- Holding Company of Exchange or Clearing House
Note: FIs need to conduct gap analysis to determine any non-compliance to the MAS TRM requirements. Any non-compliance as a result of implementation difficulties needs to be documented and explained with mitigating controls placed.
On third-party risks, there are also expectations for service providers of FIs to have secure and resilient systems. We will explain more about that in Expectations for Service Providers.
What are the top 10 key updates in MAS TRM 2021?
1. Increased Role of Board and Senior Management
All members of the Board of Directors (BoD) have direct responsibility for oversight of technology risk. It is a wake-up call for some institutions who see IT as just a cost function.
Some key requirements to note are as follows:
- BoD and Senior Management must have members with knowledge to understand and manage technology risks.
- FIs should appoint a Chief Technology Officer and a Chief Security Officer (or equivalent, for smaller FIs).
- BoD should have governance and oversight over technology risks, including making key IT decisions.
- FIs should have a technology risk management strategy in place.
- BoD should undergo security awareness training.
For technology and information security leaders, MAS TRM Guidelines 2021 presents a new window of opportunity to engage your higher management on technology and security matters. It is essential to communicate what the FI's technology risks are, and more importantly, how it impacts the business. It is equally important to present a plan of action to manage these risks.
Technology comes with costs and risks, but it is also a business enabler that can provide value and efficiency if a proper strategy is in place. It is a culture change on the part of higher management to have an open mind when it comes to understanding technology opportunities, challenges, and risks.
The challenge for technology and security professionals is to deliver a technology risk management strategy that clearly explains the impact on business objectives for higher management to understand and appreciate.
2. IT Project Management
Another key focus is the governance of IT projects undertaken by FIs. This includes creating a project committee for large and complex projects, clear requirements for conducting vendor due diligence, Security-by-Design and a quality management process.
First and foremost, senior management is expected to be involved in large and complex IT projects that impact the business. This is to ensure that all business and security project risks are adequately addressed.
Requirements for vendor due diligence are made more explicit in MAS TRM Guidelines 2021. FIs should establish standards and procedures for assessing the security of the vendor and its applications. Depending on the criticality of the application, the Guidelines suggest that the FI should have access to the source code of the third-party software.
There is also an emphasis on Security-by-Design that is in line with the industry trend of shifting security left of the software development lifecycle. A Security-by-Design approach streamlines the development of a secure application, avoiding the complications that normally arise from having security as an afterthought.
3. Software Application Development and Management
The secure development of Application Programming Interfaces (APIs) is the key focus here. MAS recognises that financial services have become an interconnected ecosystem. FIs will increasingly collaborate and provide complex financial services to consumers by connecting to each others systems using APIs.
APIs should be sufficiently secure for the fintech ecosystem to flourish. Although API security is a complex topic that overlaps with other technology domains, the TRM Guidelines 2021 sufficiently expounds on key points. For example, the governance of third-party API access, security standards for API development and design, strong encryption, API security testing during pre-production, real-time monitoring of API calls and availability. A new requirement has been introduced that requires FIs to vet customers who want to consume their APIs.
4. Remote Access Management
The MAS TRM Guidelines 2021 provides foundational regulations for remote access management that focus on secure authentication, as well as the security of the devices that are used to remotely access a FI's information assets.
Strong authentication refers to the use of multi-factor authentication (MFA) to add on another layer of protection to ensure the identity of the entity requesting access to the FI's IT environment.
Industry-accepted encryption algorithms should be used to secure communication channels, safeguarding the integrity of any data or API calls. The Guidelines has an entire chapter outlining security practices on cryptography.
FIs should also ensure that the devices used to access their information assets have been hardened and adequately protected before access is granted. For example, devices should have endpoint protection solutions installed as well as be securely configured. Such practices allow secure remote connections by protecting physical and network infrastructure supporting the remote connections.
5. Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD) refers to employees using personal devices to access business information and systems. BYOD is a double-edged sword. It permits a mobile and dynamic workforce but also introduces security risks that should be addressed by FIs.
Therefore, the Guidelines recommend that FIs revise their BYOD policies and procedures with security controls such as Mobile Device Management (MDM) or virtualisation solutions.
Mobile Device Management (MDM) solutions can be used to manage and control mobile devices and have features such as storage encryption, remote wipe, and baseline security monitoring. Virtualisation solutions allow end-users to remotely access the FI's IT systems and applications via mobile devices through a virtual environment or sandbox. We will explain more about Virtualisation in the next section.
6. Data and Infrastructure Security
The new Guidelines emphasise endpoint protection, with MAS recommending hardening of endpoints in line with industry best practices, such as Center for Internet Security (CIS) Benchmarks.
This includes secure configurations as well as the implementation and maintenance of endpoint protection solutions.
The network security section recommends the use of Network Intrusion Protection Systems and Network Access Control (NACs) to detect and block malicious traffic along with more traditional network security devices like firewalls. These devices should constantly be kept updated.
Like BYOD, the MAS TRM Guidelines 2021 introduced Virtualisation Technology for the first time. Appropriate policies and procedures to manage virtual machines and snapshots should be implemented. Access to hypervisors and system hosting hypervisors should be restricted.
The Guidelines also brought up sandboxed browsing and IoT Security. Sandboxed browsing means “isolating internet web browsing activities from its endpoint devices”. In short, it protects your computer from the harmful effects of browsing.
As for IoT Security, IoT devices need to be hardened, and IoT networks need to be segregated from networks that host the FI's data and systems.
7. Cybersecurity Operations
FIs are highly encouraged to procure cyber intelligence monitoring services and participate in cyber threat information-sharing arrangements.
Threat intelligence includes, but is not limited to, services that keep the FIs updated on the latest malware, system vulnerabilities as well as Tactics, Techniques and Procedures (TTPs) used by Advanced Persistent Threat (APT) groups targeting FIs.
FIs should also participate in or subscribe to cyber intelligence sharing platforms like FS-ISAC, IT-SAC, SingCert, or CVE. Such activities help to improve the resilience of FIs against cyberattacks.
Other recommendations include the capability to detect and respond to misinformation propagated via the internet as well as establishing cyber incident response capabilities.
8. Cyber Exercises
Another area to explore is to participate in scenario-based cyber exercises based on threat intelligence, including social engineering, table-top exercises, and adversarial attack simulation exercises. Such exercises allow FIs to test their detection and response capabilities as well as their decision-making during a real crisis.
9. Penetration Testing
MAS TRM Guidelines 2021 calls for penetration testing (PT) of internet-facing systems to be conducted at least annually or after a major change. Additionally, it recommends that penetration testing be conducted in production environments.
More notably, as a sign of changing times, the Guidelines endorse bug bounty programs as an acceptable method to complement an FI's vulnerability and penetration testing program.
10. Online Financial Services
Online Financial Services include new requirements to actively monitor phishing campaigns against the users of your services, encryption, digital signatures, application sandboxing, device root protection and mobile application security.
The Guidelines also cover implementing Customer Authentication and Transaction Signing requirements such as MFA, transaction signing, adaptive authentication, time-based OTPs, biometrics, soft tokens, session protection, maker-checker functions, and secure credential storage
Next, let's talk about real-time fraud monitoring systems. While this is a common practice in some areas such as credit card transactions, the MAS TRM Guidelines 2021 has expanded the scope to include any online transaction. This is a significant new requirement for services that don't already do this.
Other Areas of Emphasis
Now that we are done with the Top 10 Key Focus Areas, we can touch upon other areas that should also be addressed.
Establish a proper risk management framework
The name of the Guidelines implies that Risk Management is a key concept. MAS encourages a risk-based approach in the adoption of the TRM Guidelines when assessing compliance. In short, FIs should have a mechanism in place to identify, assess, treat and monitor their risks.
Implement Your Policies and Keep Track of Compliance
Policies and procedures should not be a mere piece of a document but should rather drive the consistent implementation of controls to protect the FI's assets and help achieve business objectives.
Insure Yourself Against Cyber Risk
MAS now requires FIs to take technology risk insurance. Financial protection aside, insurance gives FIs access to a panel of experts such as lawyers and forensic specialists to help in responding to cyber incidents more effectively.
Know Your Assets and Assign Accountability
FIs should start with understanding their assets, where they are, and who has access to them. It is also important to assess their impact on the organisation such that better decisions can be made on the right level of protection. Assets must have assigned owners who are responsible for ensuring that assets are properly managed throughout their lifecycle.
Conduct Background Checks
Establish a Resilient Architecture and Test for Recovery
Background screening of personnel with access to FI's systems and data, including third parties, is needed to support hiring decisions based on candidate suitability, and to protect against operational risks.
FIs should also document recovery plans and test these periodically using plausible disruption scenarios. Finally, FIs should aim to operate from a recovery or alternate setup for an extended period for a more relevant test.
What are the MAS TRM Guidelines 2021 expectations for service providers?
Financial Institutions are increasingly reliant on service providers to perform business-critical activities, which introduces risk. Therefore, TRM Guidelines 2021 set out several expectations for service providers to securely and reliably support FIs.
Stringent Due Diligence
FIs are expected to conduct stringent due diligence on service providers to ensure that they do not pose any unnecessary risks to the FIs. These due diligence exercises are holistic and include many aspects of technology risk management. Service providers should also consider undertaking industry-recognised security compliance certifications and attestations like ISO 27001 and SOC 2 Type II to help ensure they have the right control framework and can demonstrably meet this due diligence.
Competency and Background Checks
Service providers are also expected to prove that their employees are competent and sufficiently skilled for the task. This can be fulfilled by providing professional development opportunities like training and certifications. Background checks should also be conducted on the staff of service providers. This reduces any risks related to insider threats.
Disaster Recovery Capability
To promote a resilient financial services ecosystem, FIs and their service providers should have advanced disaster recovery capabilities. Service providers should have disaster recovery policies and procedures in place. Disaster recovery testing and arrangements should be carried out at regular intervals to ensure that target RTO (Recovery Time Objective) and RPO (Recovery Point Objectives) are met. Additionally, disaster recovery testing should be a coordinated effort between service providers and the FI to troubleshoot any potential problems during an actual disaster recovery situation.
Service providers managing any systems on behalf of FIs should ensure that these systems are appropriately protected and adhere to the FI’s system security standards. The service provider should conduct system hardening activities to meet the applicable security standards. Additionally, reputable endpoint protection solutions should also be installed. These activities help secure the software security supply chain as all systems with access to the FI's IT environment as well as systems managed by service providers are appropriately secured.
The MAS also expects FIs and service providers to work closer together for a more resilient financial services ecosystem. Service providers are expected to undergo security awareness training programs conducted by the FIs as well as be part of the FI’s cyber exercises, if applicable. Such partnership will foster a more dynamic and closer working relationship which will be crucial in times of crisis.
With technology playing such a crucial role in Financial Institutions, senior management and the Board of Directors need to be more involved and must understand technology risk in the ever-changing cyber threat landscape.
There is an increased emphasis on secure development practices and API security. This includes a 'shift-left' where the security requirements of any IT project should be considered at the beginning of the design phase.
Adapting to fast-changing times, Bug Bounty programs are now a legitimate complement to Penetration Testing programs in FIs.
Security controls and cyber tooling are also more prescriptive. The emphasis on tools and practices improves the resilience of FIs in Singapore by improving their capabilities to detect, respond and recover from cyberattacks.
View the original MAS TRM Guidelines 2021 here.
Download our checklist for Financial Institutions to stay compliant with the MAS TRM Guidelines 2021.
Alternatively, speak to us if you need help with complying with MAS TRM. Book an introductory call with one of our consultants.
Book an obligation-free consultation here.
Pragma is a global Cyber Security and Regulatory Consulting firm that helps leading businesses, governments, and not-for-profit organisations strengthen cyber and regulatory resilience with a pragmatic approach.