Blog post -

Spotlight on the Monetary Authority of Singapore’s Technology Risk Management Guidelines

As part of our ‘Spotlight on’ series, we have been delving into the topic of operational resilience and third-party risk management within financial institutions (FIs), exploring what the latest guidelines and proposals released by regulators across the globe mean for businesses across the sector.

In this installment, Simon Fieldhouse, global managing director – Software Resilience, offers his insight into the latest version of the Monetary Authority of Singapore’s (MAS) Technology Risk Management (TRM) guidelines, published earlier this year.

What do the guidelines say?

Following a public consultation in 2019 and engagement with professionals across the cyber security industry, the MAS revised its 2013 guidelines.

As with the UK’s PRA rules and the EU’s Digital Operational Resilience Act (DORA) proposals, the guidelines recognise that the technologies and infrastructure adopted across the sector have grown in complexity over the years. They also recognise how the cyber threat landscape is evolving rapidly – signalling that cyber and software resilience are converging into one, to create what might be referred to in future as ‘digital resilience’.

With this in mind, the new guidelines require FIs to meet the following requirements:

  • Oversight of all third-party providers
  • System and software development
  • Guidance on board and senior management roles

Oversight of all third-party providers

The MAS recognising that risk must be considered from all third parties – not just outsourcing – is one of the biggest, if not the, most important updates to the guidelines. As reliance on third party software and its availability continues to increase, FIs must ensure that all providers they work with have the necessary risk mitigation and business continuity measures in place.

While the focus on business continuity and risk management in relation to third party technology isn't a novel concept for a financial regulator, the MAS has gone a step further to outline specific solutions FIs are able to adopt to ensure their adherence to regulatory requirements.

The MAS specifically outlines FIs must follow ensure that software escrow agreements and verification testing are built into contracts before entering into a third-party agreement. This means ensuring that any third party you work with meets a high standard of compliance and due diligence when it comes to the security and resilience of their service, no matter what it is. Suitable alternatives to replace the software should also be identified if an escrow agreement could not be implemented.

System and software development

On the flipside, MAS has also acknowledged how FIs are increasingly developing their own software in-house, meaning that there needs to be a range of practices followed to ensure these systems and software remain resilient and secure. In the latest version of the TRM, the MAS sets out that FIs should implement and follow strict standards around secure coding, source code review and application security testing.

Board and senior management roles

The continuous management and assessment of the supply chain and third-party networks will be crucial in ensuring FIs can keep up with the evolving nature of technology and factors that could risk the availability and integrity of services.

However, to drive this, there must be clarity on the roles and responsibilities of the board of directions and senior management. To ensure that processes are successful on an ongoing basis, the TRM, both in 2013 and 2021, has required the board to ensure the TRM framework is established and maintained.

Updates to the guidance this year focus on ensuring that a chief information officer and a chief information security officer are appointed to the board. But this responsibility isn’t just confined to these board members – every staff member should be trained on technological risk to ensure the FI can keep pace with developments.

Keeping pace with technological change and risks

Technology and its associated risks will never stand still, which means that regulators and businesses need to keep pace. The guidelines set out by the MAS are world-leading in many ways and much like the UK, Singapore is deeply committed to embracing the technologies of the future while keeping their citizens safe and secure.

This is backed by recent negotiations between Singapore and the UK on a Digital Trade Agreement to support the growth of high tech markets, and builds on ambitions to lead in setting global digital standards. As a result, the UK and Singapore have since established a new financial partnership to strengthen cooperation on financial services regulation, deepen cooperation on growth sectors like fintech and lawtech, as well as enhancing bilateral cyber security cooperation and building collective cyber capabilities.

These commitments and decision to signpost the use of escrow agreements for FIs should act as a battle cry for regulators across the world to follow suit. While some already are, including global counterparts in the UK and Europe, widespread attention on this is needed to ensure that FIs across the globe can continue to innovate soundly.

Simon Fieldhouse, Global Managing Director - Software Resilience, NCC Group

Topics

  • Computer security

Categories

  • software resilience
  • fintech
  • increasing regulatory & legislative requirements

Contacts

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7721577574

Related content

UK PRA publishes rules for outsourcing and third-party risk management

This week, the UK’s Prudential Regulation Authority (PRA) published rules on outsourcing and third-party risk management. Following on from our ‘Spotlight on’ piece, our global managing director – software resilience at NCC Group, Simon Fieldhouse, reacts to this news.

NCC Group welcomes consultation on US Interagency Guidance for Third Party Risk Management

NCC Group responds to proposed US Interagency guidance on third-party risk management, and welcomes the agencies’ intent to promote consistency and assist regulated banking organizations in identifying, assessing and managing third party risks.

NCC Group responds to Cyber Security Agency of Singapore ('CSA') public consultation on licensing

A new licensing framework proposed by the Cyber Security Agency of Singapore ('CSA') is expected to launch early next year. Here, Charles Spencer, APAC Managing Director at NCC Group shares his thoughts on the framework that aims to improve assurance on security and safety and raise quality.

Spotlight on the future of outsourcing in the UAE’s financial services sector

As part of our ‘Spotlight on’ series this month, Simon Fieldhouse, global managing director – Software Resilience looks to the Middle East and how the changing regulatory landscape is shaping the future of its financial services sector.

Spotlight on the EU’s Digital Operational Resilience Act (DORA)

The EU Commission is currently developing the Digital Operational Resilience Act (DORA) – new legislation aimed at financial entities at EU level. But what does it mean and what should businesses do now to prepare? Simon Fieldhouse, global managing director – Software Resilience at NCC Group, breaks this down in our latest ‘Spotlight on’ piece.

Spotlight on the UK’s new operational resilience regulation

After years of consultation, the UK’s Prudential Regulation Authority (PRA) is set to publish new rules on outsourcing and third-party risk management this month. In our ‘Spotlight on’ series, Simon Fieldhouse explores what this means for the sector, its resilience, and the pace of digital transformation.

Spotlight on Canada’s approach to managing third party risk in the finance sector

Following the call for input from the Canadian Office of the Superintendent of Financial Institutions (OSFI), on the way financial institutions manage third-party risk, John Boruvka, Vice President, Sales - US for NCC Group Software Resilience, provides an overview of the key points to note.