The Monetary Authority of Singapore (MAS) today released two consultation papers on proposed changes to the Technology Risk Management (TRM) Guidelines and the Business Continuity Management (BCM) Guidelines.
The changes will require financial institutions’ (FIs) to put in place enhanced measures to strengthen operational resilience. These take into account the rapidly changing physical and cyber threat landscape.
MAS proposes to expand the TRM Guidelines to include guidance on effective cyber surveillance, secure software development, adversarial attack simulation1, and management of cyber risks posed by the Internet of Things. The proposals were developed in close partnership with the financial industry. The MAS Cyber Security Advisory Panel (CSAP)2, which comprises international cyber security thought leaders, provided valuable inputs in shaping the proposed TRM Guidelines.
MAS also proposes to update the BCM Guidelines to raise standards for FIs in the development of business continuity plans that will better account for interdependencies across FIs’ operational units and linkages with external service providers. FIs are encouraged to put in place an independent audit programme to regularly review the effectiveness of their BCM efforts.
The two Guidelines continue to emphasise the importance of risk culture, and the roles of Board of Directors and senior management in technology risk and business continuity management.
Mr Tan Yeow Seng, Chief Cyber Security Officer, MAS, said, “A cyber-attack can result in a prolonged disruption of business activities. Threats are constantly present and evolving in sophistication. We cannot afford to be complacent. Financial institutions must therefore remain vigilant and have in place effective technology risk management practices and robust business continuity plans to ensure prompt and effective response and recovery."
The public consultation will run from 7 March to 8 April 2019. Copies of the public consultation papers are available on the MAS website: TRM Guidelines and BCM Guidelines. MAS welcomes feedback from FIs and other interested parties on the proposed changes to the Guidelines.
The TRM Guidelines were issued in 2013 to provide financial institutions with guidance on the oversight of technology risk management, security practices and controls to address technology risks.
The BCM Guidelines were first issued to the financial industry in June 2003, with a focus on the organisational response and recovery process to minimise the impact of business disruptions. Subsequently, an addendum was issued in January 2006 to provide further guidance on measures to mitigate the impact of influenza pandemic and security threats arising from terrorism.
The extent and degree to which an FI implements the Guidelines should be commensurate with the nature, size and complexity of its business operations.
1 Adversarial attack simulation exercise tests an FI’s capability to prevent, detect and respond to threats by simulating perpetrators’ tactics, techniques and procedures to target the people, processes and technology underpinning the FI’s critical business functions or services.
2 The CSAP was formed in 2017 to advise MAS on cyber resilience strategies for the financial sector.