In April, the Monetary Authority of Singapore (MAS) was awarded the right to enforce the requirements of the Technology Risk Management to the level that non-compliance could result in fines of up to $1million - or even higher if several rules are broken.
Singapore has been leading the way on promoting better operational resilience and third-party risk management in the financial sector and this new law takes it one step further.
The guidelines recognise that the technologies and infrastructure adopted across the sector have grown in complexity over the years. They also recognise how the cyber threat landscape is evolving rapidly – signalling that cyber and software resilience are converging into one, to create what might be referred to in future as ‘digital resilience’.
With this in mind, the new guidelines require financial institutions (FIs) to meet the following requirements:
Oversight of all third-party providers
The MAS recognising that risk must be considered from all third parties – not just outsourcing – is one of the biggest, if not the, most important updates to the guidelines. As reliance on third-party software and its availability continues to increase, FIs must ensure that all providers they work with have the necessary risk mitigation and business continuity measures in place.
While the focus on business continuity and risk management in relation to third-party technology isn't a novel concept for a financial regulator, the MAS has gone a step further to outline specific solutions FIs are able to adopt to ensure their adherence to regulatory requirements.
The MAS specifically outlines FIs must ensure that software escrow agreements and verification testing are built into contracts before entering into a third-party agreement. This means ensuring that any third party you work with meets a high standard of compliance and due diligence when it comes to the security and resilience of their service, no matter what it is. Suitable alternatives to replace the software should also be identified if an escrow agreement could not be implemented.
System and software development
MAS has also acknowledged how FIs are increasingly developing their own software in-house, meaning that there needs to be a range of practices followed to ensure these systems and software remain resilient and secure. In the latest version of the TRM, the MAS sets out that FIs should implement and follow strict standards around secure coding, source code review and application security testing.
Board and senior management roles
The continuous management and assessment of the supply chain and third-party networks will be crucial in ensuring FIs can keep up with the evolving nature of technology and factors that could risk the availability and integrity of services.
However, to drive this, there must be clarity on the roles and responsibilities of the board of directors and senior management. To ensure that processes are successful on an ongoing basis, the TRM, both in 2013 and 2021, has required the board to ensure the TRM framework is established and maintained.
These latest developments should act as a battle cry for regulators across the world to follow suit. While some already are, including global counterparts in the UK and Europe, widespread attention on this is needed to ensure that FIs across the globe can continue to innovate soundly.
