The MAS released two consultation papers in March, proposing changes to guidelines in both Technology Risk and Business Continuity. In both papers, the MAS addresses tighter security oversight to enhance operational resilience in the midst of increasing cyber security threats. Recent high profile data breaches such as the HIV information leak earlier this year, and last year’s hack of 1.5 million Singapore patients’ records have brought cyber security into even greater focus.
These papers will impact all financial institutions in Singapore. As expected, the extent and degree to which the guidelines are to be applied depends on the nature, size and complexity of business operations – a proportionate approach is key. The Regulator has made it clear senior management should improve culture, strengthen oversight and, importantly, manage cybersecurity risks from the top down. It’s likely that changes in this area will be introduced within a year so now is a good time to start looking at your risk management processes.
What are the changes to Technology Risk Management?
The consultation paper on Technology Risk Management (TRM) focuses on developing a risk management framework, as well as combatting cyber attacks, supported by broader improvements to governance.
There are a few notable changes and additions to what the MAS expects of boards of directors and senior management with regard to technology risk.
- Board role
Boards of Directors must take a more active role in making sure internal controls are in place and tested for effectiveness.
- Risk framework
You should have a robust risk management framework which is appropriately maintained.
- Senior IT role
If you do not already have one, you should appoint a Chief Information Officer, Chief Technology Officer or Head of Information Technology with the necessary skills and understanding of technology risks. For smaller and more straightforward financial institutions, we expect that multi-hatting as well as some reliance being placed on external vendors in this regard.
- Risk appetite
The MAS expects the Board to set a suitable risk appetite appropriate to the company, ensuring technology risk strategies are regularly reviewed, tested and adequately resourced with proper expertise.
- Management responsibility
Senior managers must take responsibility for ensuring frameworks are approved and policies are in place. The responsibilities of IT staff should be clearly defined and delegated and should include compliance oversight.
- Data management
Information assets such as clients data should be properly managed, for example by keeping an inventory to be reviewed and updated regularly.
Companies using third party providers in areas involving clients’ information must apply the same test set out in the Outsourcing Guidelines such as competency and background assessments.
Annual training must be provided to all staff including board directors, service providers and contractors on internal policies and procedures, and up-to-date industry practices.
IT and Cybersecurity framework
The MAS wants financial institutions to have a dedicated IT project team. This team should create and manage a framework to address third party vendor selection, conducting feasibility analysis, cost-benefit analysis, business case analysis and project planning amongst other responsibilities.
Companies are also expected to employ software development systems (Agile or DevOps systems) and best practices. These include secure coding, preventing software bugs or vulnerabilities that are typically targeted and exploited by hackers to compromise an IT system. Emerging global technologies such as smart devices, virtualisation and eventually artificial intelligence create new risks. Companies must have ways to identify and mitigate these risks to ensure better delivery for customers.
The bulk of the consultation focuses on what efforts companies must make to combat cybersecurity threats. The MAS provides further guidance to all financial institutions on cyber surveillance, cybersecurity assessment and testing, and cyber incident management. It also looks at simulation of cyber attacks to test a financial institutions readiness.
At the crux of the papers, is the need to identify, monitor and test all cybersecurity systems software. Cybersecurity must be looked at holistically to ensure all risk of cyber attacks are and will be properly mitigated – especially when client information is at risk.
What are the changes to Business Continuity Management?
The consultation on Business Continuity Management (BCM) looks to financial institutions to put more rigour in their business continuity planning processes and test them annually.
New definition of business function
The current definition requires companies to identify business functions that are critical and prioritise them for recovery in a disruption. The MAS now wants financial institutions to look at the span of a business from a service delivery perspective. There will be several other business processes to be performed before the service is finally delivered to the end-user. And each of these will need attention.
Not much has changed from the current responsibilities that are set out for board directors and senior management. Additions include the following:
- An annual review and endorsement of business continuity management, critical business functions, business continuity objectives and risk tolerance should be conducted.
- Senior management should have clearly defined and documented responsibilities.
- Management are expected to play a key role in implementing the BCM, for example via annual attestation of BCM preparedness to the board.
Business Continuity Plan (BCP)
Currently, the MAS is proposing to raise standards for financial institutions in their development of BCPs that will better account for interdependencies across all business functions. The MAS expects all financial institutions to have an end-to-end business continuity plan for each service that is delivered to their customers. All companies would need to review and enhance the robustness of their BCPs by covering the full recovery process for a given business function. Formal training on business continuity planning should be conducted to all relevant staff of the company as well.
Testing and Auditing
The MAS wants financial institutions to conduct an annual crisis management and communications exercise and test the BCP for each critical business function. Companies will also be required to conduct BCM audits through a unit that is independent of the staff involved in the planning and execution of the BCM itself – for example through internal audit.
Getting ahead of the changes
The papers might still be under consultation, but the MAS has made it clear that the changes may be approved within the year. Companies will be expected to start reviewing and conducting gap analyses on both the TRM and BCM risk management processes in anticipation for the impending change.
Your gap analysis should also extend to internal governance arrangements, including reporting lines, and job descriptions to reflect the MAS proposals. And you should pay particular attention to any new technologies or practices which you have recently adopted which may not have yet had a thorough risk assessment.