What is MAS-TRM?
MAS-TRM stands for the Monetary Authority of Singapore-Technology Risk Management guidelines. It addresses technology risk management, including raising cybersecurity standards and strengthening cyber resilience in the financial sector.
In response to the growing cyber threat landscape, the Monetary Authority of Singapore (MA) recently updated its MAS-TRM guidelines to help financial organizations keep up with emerging technologies and cybersecurity best practices, including third-party management.
Many of the standards included in the revised guidelines were taken from an earlier 2013 edition. Companies are still digesting the guidelines, and many are finding that automating compliance with the new standards is the best way forward.
MAS-TRM Guidelines Overview
The guidelines contain 12 sections and several appendices that review critical areas, including:
- Board and Senior Management (BSM): introduces additional guidance on their roles and responsibilities
- Management of third parties: introduces more stringent assessments of vendors with access to the financial organization’s information technology systems
- System and software development: introduces testing, monitoring and sharing information about cyber risks within the financial sector
Enhanced Roles for the Board and Senior Management
The TRM guidelines feature a more extensive list of roles and tasks for the BSM. For example, the BSM must ensure that senior managers have proper oversight to manage cyber risks and technology. Specifically, they need to verify that both the IT manager and the CIO have the appropriate experience and skills. The BSM also requires its members to have extensive knowledge of cyber risks and technology.
Get the best third-party security content sent right to your inbox
Thanks for subscribing!
In addition, MAS expects the board of directors to approve the entity’s risk tolerance position. Senior management and the board must consider the financial organization’s risk appetite when making critical IT decisions.
For a financial institution whose board is not located in Singapore, the roles and responsibilities in the guidelines may be performed by a select committee that has the power to oversee the Singapore-based office.
The guidelines don’t lay out specific measures for a board to use to gauge its organization’s performance in technology risk management. However, measuring the effectiveness of the integrity of systems and data may be good performance indicators of the effectiveness of the security framework in place.
Additional Safeguards for Third-Party Vendors
The guidelines also introduce more stringent assessments of third-party vendors to access the company’s technology systems. Financial institutions should assess and manage third-party vendors’ exposure to technological risks that may affect the confidentiality and integrity of IT systems and data held by third parties before contracting with the supplier.
This offers additional oversight over cyber threat risks at a higher organizational level. Financial organizations must ensure their third-party vendors can fulfill all regulatory requirements. The guidelines stress that using third-party vendors should not compromise cyber threat risk management.
The new rules also require financial companies to:
- Set up standards and procedures to evaluate the competency of suppliers that include a wide range of topics to prevent and recover from cyberattacks
- Devise a thorough vetting process to assess third-party companies that want to access the financial organization’s programming interface
In addition, organizations should:
- Make sure that IT systems and electronic devices have the proper security features in place
- Use firewalls inside networks to reduce the effects of security incidents from third-party systems
- Back up and review rules on your network security devices to ensure they are relevant and useful.
Failure to comply with the guidelines can lead to fines, public relations damage and license revocation in Singapore.
Automating MAS-TRM Compliance
While following the new guidelines may seem taxing, automating the process can help save time and effort while achieving greater security and complying with the requirements of MAS-TRM.
Are you interested in improving your third-party security and complying with MAS-TRM Guidelines? Panorays can help. With Panorays, you can automate, accelerate and scale your third-party security process. Request a demo today to find out more!