MAS TRM Revisions 2021

Revised MAS TRM Guidelines – what has changed?

Written by Angela Yuen, Privasec’s GRC and Security Consultant

What is the MAS TRM and why it was created

The Monetary Authority of Singapore (MAS) Technology Risk Management (TRM) Guidelines is a set of risk management principles and best practices standards to guide Financial Institutions (“FIs”) in managing technology risk. It was created to help FIs establish sound and robust technology risk governance and oversight, as well as maintain IT and cyber resilience.

The revised 2021 Technology Risk Management Guidelines (“2021 Guidelines”) was introduced 8 years later, amid a worsening cyberthreat environment. This comes after a series of cyberattacks and data breaches such as the WannaCry Ransomware attack in 2017, SingHealth data breach in 2018, HIV data leak in 2019 and the most recent SolarWinds cyber-attack in 2020. The 2021 Guidelines provides additional guidance on how Financial Institutions (“FIs”) can better manage technology and cyber risks in an environment of growing reliance of technology in business operations.  

Although MAS only expects FIs to comply with the TRM Guidelines, the application of the MAS TRM Guidelines can be extended as a reference beyond the financial sector. The MAS TRM Guidelines sets out best practices which can be adopted by any organisation to maintain cyber safety. It can be used as a benchmark to assess an organisation’s current security posture.

Trends in changes

Digital transformation in the financial industry, such as cloud technologies, biometric technologies, Internet of Things (“IoT”), application programming interfaces (“APIs”) and rapid software development, exposes FIs to new risks and vulnerabilities.

This has led to 3 key areas of focus in the new 2021 Guidelines:

  • Roles and responsibilities of Board of Directors and Senior Management with regards to their competency in managing technology risks;
  • Governance and risk management of third-party service providers;
  • Establish a robust process to identify, monitor, detect and share cyber threats within the financial ecosystem.

Analysis of what this means

Roles and responsibilities of Board of Directors and Senior Management with regards to their competency in managing technology risks

Expanded roles and responsibilities of board of directors and senior management.

The change:
Introduction of the appointment of a Chief Information Security Officer, Chief Technology Officer, or Head of IT, and a Chief Information Security Officer or Head of Information Security to manage technology risks. The board of directors and senior management should also comprise of members with requisite level of skills and knowledge to provide oversight over technology risks.  

What this means:
The roles and responsibilities of board of directors and senior management go beyond making key IT decisions. FIs should engage individuals who have relevant experience in areas including technology operations, risk management or audit, to be part of its board of directors and senior management.

Governance and risk management of third-party service providers and vendors

Risk assessment on third-party service providers and vendors.

  1. The change:
    A risk assessment to evaluate the exposure of technology risks is required before an FI engages a third-party service provider under the 2021 Guidelines. This expands beyond the guidance of performing due diligence for IT outsourcing arrangements as stipulated in the 2013 Guidelines.

    FIs should implement a more detailed system acquisition process by establishing standards and procedures for vendor evaluation and selection. FIs should conduct a risk assessment to assess the vendor’s software development, quality assurance and security practices.

    What this means:
    FI needs to establish a robust third-party risk management framework to access and manage third-party risks and have a better understanding and control over the technology acquired.

  2. The change:
    Emphasis of assessment of third parties’ suitability in connecting to the FI via Application Programming Interfaces (“APIs”) and access to APIs.

    The 2021 Guidelines recognises the risk of using public APIs and highlights the key aspects of securing API development and provisioning to safeguard the integrity and security of FIs’ systems and customer information, which includes:

    (a) Use of strong encryption to securely transmit sensitive data.
    (b) Detection of suspicious activities and revocation of API access in the event of a breach.
    (c) Ensure adequate system capacity in APIs.

    API development and provisioning were not directly addressed in the 2013 Guidelines.

    What this means:
    FIs should formulate safeguards to manage the development and provision of APIs to ensure data confidentiality, integrity, and availability. There should be a well-defined vetting process to assess third-parties’ suitability in connecting to the FI via APIs and governing their API access to prevent compromise of data.

Establish a robust process to identify, monitor, detect and share cyber threats within the financial ecosystem.

  1. The change:
    Best practices cyber security operations. Around processes to collect, process and analyse cyber-related information and procure cyber intelligence monitoring services to combat cyber threats in collaboration with trusted parties.

    In addition, to ensure effective management of security monitoring, the following should be established:

    (a) Security operations centre or acquire managed security services to facilitate the continuous monitoring and analysis of cyber event.
    (b) A process to collect, process, review and retain system logs.
    (c) Baseline profile of each IT system’s routine activities to identify anomalies.
    (d) A process to timely escalate anomalies to relevant stakeholders.

    Lastly, a cyber incident response and management plan should be established. The cyber incident response and management plan could form part of the FI’s incident management plan, which was required under the 2013 Guidelines.

    What this means:
    FIs should evaluate their current cyber security policies and processes and assess where they stand in terms of cybersecurity readiness. FIs should also take on a proactive approach in strengthening collective cyber resilience within the financial ecosystem by creating situational awareness through information sharing.

  2. The change:
    Best practices on cyber security assessments. The 2021 Guidelines detailed the minimal scope for vulnerability testing and penetration testing, as compared to the 2013 Guidelines which were less specific. The scope of vulnerability assessments should include vulnerability discovery, identification of weak security configurations, open ports and application vulnerabilities. Penetration testing should include a combination of blackbox and greybox testing, with consideration of production instances.

    FIs should perform cyber exercises as well as adversarial attack simulation exercises to validate its effectiveness of cyber defence, response and recovery and communication plans against cyber threats. A comprehensive remediation process should be in place to track and issues identified from the cyber security assessments or exercises.

    What this means:
    FIs must meet the minimum requirements set out in the 2021 Guidelines on vulnerability assessment and penetration testing to ensure adequate coverage for an accurate evaluation of the robustness of the FIs’ cyber defences. By conducting cyber exercises, FIs can obtain a better understanding on its actual capabilities of people and technology against written policies and processes.

Other Mentions

  1. Internet of Things (IoT):
    Policies, procedures and controls surrounding IoT should be established. Processes and controls to mitigate risks arising from IoT should be assessed and implemented. FI should maintain an inventory of all its IoT devices, including information such as networks which they are connected to and their physical locations. The network that hosts IoT devices should be secured and segmented from the network that hosts FI’s systems and confidential data.

    Best practices on IoT were newly introduced in the 2021 Guidelines.

    What this means:
    FIs will have to formulate policies, procedures and controls on IoT if they do not have existing documentations on IoT and assess if IoT devices are adequately secured before connecting to their network.

  2. Software Application Development and Management:
    FIs should enhance their software development practices by adopting standards on secure coding, source code review and application security testing. A policy and procedure on the use of third party and open-source software codes should be established to ensure these codes are subject to review and testing before they are integrated into the FI’s software.

    Guidelines are determined for the following widely used software application development and management:

    a. Agile software development: Ensure secure coding, source code review and application security testing standards.
    b. DevSecOps management: Implement adequate security measures and enforce segregation of duties for development, testing and release functions.
    c. Application programming interface (API) development: Establish security standards for designing and developing secure APIs and adopt strong encryption standards and key management controls.
    d. End user computing and applications: Establish measures to control and monitor the use of shadow IT and end user applications.

    What this means:
    As FIs benefit from new technologies, FIs should be wary of some of the potential pitfalls that arise from these technologies if they are not adequately secured. New technologies introduce new vulnerabilities that may be exploited by cyber criminals. Hence it is important that FIs implement appropriate processes and controls to mitigate security risks.

About the Author

Angela Yuen is a Security GRC Consultant at Privasec. She is a technology governance, risk and compliance professional who has worked on several industry verticals in organisations around compliance towards regulatory requirements, and management of technology and operation risks.

She is also a certified ISO 27001:2013 Lead Auditor and Certified Information Systems Auditor (CISA). 

Scroll to Top