The Role of MAS TRM in Robust Technology Risk Governance

According to the Financial Times, in the first half of 2021 alone, the financial industry faced over $1 billion in anti-money laundering (AML) fines from leading financial institutions such as NatWest, HSBC, digital lender Monzo, and Dutch lender ABN Amro. As a result of increased pressure on financial institutions to implement various risk management principles to detect these financial crimes, many sought to adhere to stricter demands from authorities regarding regulations and compliance. 

One of these guidelines was the Monetary Authority of Singapore-Technology Risk Management, also known as MAS TRM. 

What is MAS TRM?

The MAS TRM guidelines address technology risk management, including raising cybersecurity standards and strengthening cyber resilience in the financial sector. 

In response to the growing cyber threat landscape, the Monetary Authority of Singapore (MA) recently updated its MAS TRM guidelines to help financial organizations keep up with emerging technologies and cybersecurity best practices, including third-party management. 

Many of the standards included in the revised guidelines were taken from an earlier 2013 edition. Companies are still digesting the guidelines, and many are finding that automating compliance with the new standards is the best way forward. 

MAS TRM Guidelines Overview

The guidelines contain 12 sections and several appendices that review critical areas, including: 

• Board and Senior Management (BSM). Introduces additional guidance on their roles and responsibilities
• Management of third parties. Introduces more stringent assessments of vendors with access to the financial organization’s information technology systems
• System and software development. Introduces testing, monitoring and sharing information about cyber risks within the financial sector

Enhanced Roles for the Board and Senior Management 

The TRM guidelines feature a more extensive list of roles and tasks for the directors and senior management. For example, the BSM must ensure that senior managers have proper oversight to manage cyber risks and technology. Specifically, they need to verify that both the IT manager and the CIO have the appropriate experience and skills. The BSM also requires its members to have extensive knowledge of cyber risks and technology.

In addition, MAS expects the board of directors to approve the entity’s risk tolerance position. Senior management and the board must consider the financial organization’s risk appetite when making critical IT decisions.

For a financial institution whose board is not located in Singapore, the roles and responsibilities in the guidelines may be performed by a select committee that has the power to oversee the Singapore-based office. 

The guidelines don’t lay out specific measures for a board to use to gauge its organization’s performance in technology risk management. However, measuring the effectiveness of the integrity of systems and data may be a good performance indicator of the effectiveness of the security framework in place.

Additional Safeguards for Financial Institutions

The guidelines also introduce more stringent assessments of third-party vendors to access the company’s technology systems. Financial institutions should assess and manage third-party vendors’ exposure to technological risks that may affect the confidentiality and integrity of IT systems and data held by third parties before contracting with the supplier. 

This offers additional oversight over cyber threat risks at a higher organizational level. Financial organizations must ensure their third-party vendors can fulfill all regulatory requirements. The guidelines stress that using third-party vendors should not compromise cyber threat risk management. 

The new rules also require financial companies to: 

• Set up standards and procedures to evaluate the competency of suppliers that include a wide range of topics to prevent and recover from cyberattacks
• Devise a thorough vetting process to assess third-party companies that want to access the financial organization’s programming interface

In addition, financial institutions should: 

• Make sure that IT systems and electronic devices have the proper security features in place.
• Use firewalls inside networks to reduce the effects of security incidents from third-party systems.
• Back up and review rules on your network security devices to ensure they are relevant and useful.
• Employ measures such as penetration testing and red team testing to understand how robust their security is.
• Ensure that IoT devices that are connected to the organization’s network are secure
• Conduct proper cyber intelligence monitoring services.

Failure to comply with the guidelines can lead to fines, public relations damage and license revocation in Singapore. 

Automating MAS Technology Risk Management Compliance

While following the new guidelines may seem taxing, automating the process can help save time and effort while achieving greater security and complying with the requirements of MAS TRM.

How Panorays Can Help

Third-party compliance with regulations is a crucial factor in ensuring your organization’s security. Panorays gives you visibility into your third parties’ external attack surface to assess their adherence to compliance and regulations such as GDPR, PCI DSS, MAS TRM, etc. These external attack surface assessments, combined with automated and customized security questionnaires, work together to deliver a cyber posture rating along with a plan for remediation to address any cyber gaps when necessary.

Want to learn more about automated third-party risk management? Get started with a Free Account today.

FAQs