Enhanced MAS TRM Guidelines:
What Do They Mean for Your Organisation?
Earlier this year on 18 January 2021, the Monetary Authority of Singapore (MAS) released a revised version of its Technology Risk Management (TRM) Guidelines.
The updated MAS TRM Guidelines provide financial institutions (FIs) with a framework to implement best practices in cyber security governance, management, and operations.
Cyber Security Governance
Expanded roles of Board of Directors and Senior Management
1. A Chief Information Officer and a Chief Information Security Officer (or their respective equivalents) with the requisite expertise and experience should be appointed by the Board and Senior Management.
As FIs adopt new technologies to advance business and improve efficiency, robust cyber security governance is crucial in managing technology risks and building cyber resilience in Singapore. A Chief Information Officer is responsible for devising and putting in place an overall information technology strategy and managing the company’s information technology risks. On the other hand, a Chief Information Security Officer takes charge of implementing information security strategies such as information security policies, procedures, and technical controls to safeguard the FI against data breaches.
2. The Board and Senior Management should include members with knowledge in understanding and managing technology risks.
As top management, the Board and Senior Management oversee a company’s risk management strategy. To effectively manage technology risks such as cyber threats, the Board and Senior Management need to include members who have an adequate understanding of technology risk management and are capable of advising accordingly.
Cyber Risk Management
Risk Assessment on Technology & Cyber Risks from Third Party Vendors
3. FIs should have policies and procedures in place to evaluate risks from vendors that have access to their IT systems.
Third-party access to IT systems and networks increases the attack surface area for malicious threats. Thus, FIs should establish and enforce robust standards, policies and procedures to evaluate a vendor’s security practices. Assessment such as analysis of the vendor’s software development and quality assurance practices can provide insight into possible risks.
In addition to assessment, FIs should ensure their engaged vendors have stringent cyber security practices to safeguard sensitive and personal data from potential breaches. Information security standard certification such as ISO 27001 can provide a level of assurance of the robustness of a vendor’s security practices.
Robust Cyber Security
Introduction of New Guidelines on Cyber Security Operations
4. Cyber threat intelligence & information sharing
The new Guidelines advocate for cyber resiliency in the financial ecosystem of Singapore. A crucial part in achieving this is cyber threat intelligence and information sharing. The updated Guidelines call for FIs to actively participate in cyber threat information-sharing with trusted parties by engaging cyber intelligence monitoring services.
5. Cyber event monitoring & detection
Cyber attacks can happen at any time. To detect malicious activities and remediate threats in a timely manner, FIs should put in place continuous cyber security monitoring and proactive threat detection. When malicious threats or suspicious user behaviours are detected, FIs should also have a process to promptly escalate the incident to relevant stakeholders. To achieve this, FIs should establish a security operations centre or procure managed security services.
Secure Your Endpoints & Devices with
Managed Protection, Detection, Response/Remediation (PDR)
CSIntelligence’s Managed Protection, Detection, Response & Remediation (Managed PDR) integrates AI & NI (Neural Intelligence) to provide proactive monitoring, advanced detection and timely remediation of cyber threats.
Our next-generation Security Operations Centre (SOC) and specialised cyber security defenders work 24×7 in real‐time to secure your organisation’s assets – servers, mobile devices, laptops and emails – from advanced and sophisticated cyber attacks, regardless of the user’s physical location.
Contact us to learn more.
6. Cyber incident response & management
Companies should implement a cyber incident response and management plan to isolate and defuse any detected cyber threats rapidly. Ideally, such plans should cover relevant communication and response procedures for possible cyber threat incidents. A good practice is to ensure these plans align with your existing company structures and policies instead of directly adopting procedures from standardised templates and examples. Plans should also be regularly reviewed, tested, and updated annually.
7. Cyber security assessment, testing & exercises
Vulnerability assessment and penetration testing, or VAPT, are not new to the MAS TRM guidelines as they were previously outlined in the 2013 version. The same practices are recommended, whereby businesses should conduct regular assessments on their IT infrastructure to bridge IT security gaps. Organisations should also conduct penetration testing (both blackbox and greybox testing) to evaluate cyber security defences.
The latest addition to the guidelines is cyber exercises. Frequent scenario-based exercises should be carried out to evaluate your company’s response, recovery, and communication systems against cyber threats. Exercises can range from social engineering and table-top to adversarial attack simulations.
What’s Next
Does Compliance Equate to Being Cyber Safe?
The revised MAS TRM Guidelines serve as a framework for evaluating your company’s cyber hygiene and establishing sound, robust cyber security governance, management and operations. Whether your organisation is a FinTech or Financial Services startup, compliance with the MAS TRM Guidelines is a valuable step towards being cyber safe. The Guidelines need to be properly implemented to build cyber resiliency.
If you are unsure of your technical/security controls and MAS TRM compliance, contact us today for assistance.
Sorry, the comment form is closed at this time.