Covering Disruptive Technology Powering Business in The Digital Age

The MAS (Monetary Authority of Singapore) has proposed changes to its guidelines on technology risk and business continuity management in two new consultation papers.

The changes require financial institutions to put in place enhanced measures to strengthen operational resilience, taking into account the rapidly changing physical and cyber threat landscape, said a statement from the regulator.

“A cyber-attack can result in a prolonged disruption of business activities. Threats are constantly present and evolving in sophistication.We cannot afford to be complacent,” said MAS chief cyber security officer Tan Yeow Seng. “Financial institutions must therefore remain vigilant and have in place effective technology risk management practices and robust business continuity plans to ensure prompt and effective response and recovery.”

MAS proposes to expand the Technology Risk Management Guidelines to include guidance on effective cyber surveillance, assessment, testing, and incident management. It also covers secure software development, adversarial attack simulation, and management of cyber risks posed by IoT (Internet of Things) technology.

“With an evolving threat landscape and increasing reliance on technology to deliver financial services in new, innovative and efficient ways, these changes are not surprising,” said Natalie Curtis at Herbert Smith Freehills in Singapore.

“The draft guidelines require financial institutions to strengthen their cyber and operational resilience to keep ahead of potential threats. They also place a clear onus on boards and senior management to establish a strong technology risk management culture and have members who fully understand and can manage the institution’s technology risks.”

In addition, the MAS seeks to address risks from new technologies, such as APIs, smart electronic devices and virtualisation, which it says may increase cyber risk if not implemented and managed appropriately.

The proposals were developed in close partnership with the financial industry, and include inputs from the CSAP (Cyber Security Advisory Panel), which was formed in 2017 to advise MAS on cyber resilience strategies for the financial sector.

MAS also proposes to update the Business Continuity Management Guidelines to raise standards for financial institutions in the development of business continuity plans, specifically to better account for interdependencies across operational units and linkages with external service providers.

Institutions should continue to strengthen their ability to mitigate the potential impact of any attacks by identifying potential vulnerabilities and developing effective recovery plans, MAS said. They are also encouraged to put in place independent audit programmes to regularly review the effectiveness of their business continuity management efforts.

Both guidelines continue to emphasise the importance of risk culture, and the roles of board of directors and senior managers in technology risk and business continuity management.

(0)(0)