New 2021 MAS TRM Guidelines Revision (18 January 2021)

Written by Ian Tan Zhi Yan

‘I do not fear computers. I fear lack of them’,[1] a quote commonly attributed to Isaac Asimov and one I am sure most readers have heard of. This saying accurately reflects the degree of reliance placed upon technology. Without a doubt, the introduction of the Covid-19 pandemic brought that reliance into the limelight and demonstrated how technology is so essential to the running of businesses globally in the ‘new norm’.

Roughly a year after the Covid-19 outbreak, the Monetary Authority of Singapore (MAS) released the revised Technology Risk Management (TRM) Guidelines (Guidelines). The revision, released on 18th January 2021, introduced two new sections addressing cyber security operations, cyber security assessment and surveillance. The Guidelines also saw significant revision to five sections, with three new annexes being added added focusing on application security testing and device security (BYOD and mobile application security).

MAS introduced the following key revisions to the TRM Guidelines:-

  1. Technology Risk Governance and Oversight

The revision to the TRM Guidelines mandates the need for members of the board of directors and senior management to have in their midst individuals who posses the necessary skills, expertise and understanding to manage technology risks. FIs are also required to appoint appropriate officers to establish a risk management framework.


Under the new TRM Guidelines, Financial Institutions (FIs) are also required to maintain a list of all its information assets to enable better technology risk governance and oversight. FIs have also been tasked with conducting assessment of its service providers exposure to various technological risks. This requires FIs to ensure that due diligence is carried out on its service providers to identify, mitigate, and manage risks associated with the loss of data confidentiality, integrity and service availability.


Finally, FIs are to conduct scenario-based assessment and identify risk owners who will be accountable for ensuring proper risk treatment measures are implemented and enforced. Residual risks are to be identified, logged, and reviewed periodically to ensure they remain at an acceptable level.


  1. Cyber Security Operations and Assessment

The 2021 revised guidelines provide that FIs should procure cyber intelligence monitoring services and actively participate in cyber threat information-sharing arrangements with trusted parties to share and receive timely and actionable cyber threat information.


FIs should have in place monitoring and surveillance systems to detect suspicious or malicious activity across its cyber systems. FIs are advised to:-

  1. establishing a security operations centre or acquire managed security services;
  2. applying user behavioural analytics to enhance the effectiveness of security monitoring.


FIs are also required to establish a cyber incident response and management plan to swiftly isolate and neutralise a cyber threat and to securely resume affected services. FIs should also include a process to investigate and identify the security or control deficiencies that resulted in the security breach as part of the plan.


FIs should also conduct regular vulnerability assessment (VA) and penetration testing on their IT systems to obtain an in-depth evaluation of its cyber security defences and identify security vulnerabilities and ensure risks arising from these gaps are addressed in a timely manner.


In order to validate and review its response and recovery capabilities, as well as to validate the effectiveness of its cyber defence and response plan FIs are required to carry out regular scenario-based cyber exercises and adversarial attack simulation exercises.


  1. IT Project Management and Security-By-Design

FIs are to establish a project management framework that sets out standards and procedures for vendor evaluation and selection, monitor vendors’ controls, implement safeguards and put in place source code escrow agreements in the event that the vendor is unable to support the FI. FIs also have the responsibility to adopt a security-by-design approach when establishing a framework to manage its system development life cycle based.


FIs also have to ensure that quality assurance is performed by an independent quality assurance function to assess whether project activities and deliverables comply with the FI’s policies, procedures and standards.


  1. Software Development and Management

Under the TRM revisions, FIs should adopt secure software development best practices. MAS recommends adopting:-


  1. An A.G.I.L.E project management approach, where FIs are to ensure secure coding, source code review and application security testing standards are applied
  2. DevSecOps management practices requiring FIs to implement adequate security measures and enforce segregation of duties for the software development, testing and release functions during the DevSecOps process
  3. SOP to establish adequate safeguards to manage the development and provision of Application Programming Interfaces (APIs) for secure delivery of such services.


  1. Access Management

FIs are to establish a password policy and a process to implement and enforce strong password controls. Security measures such as Multi-factor authentication should be implemented for users with access to sensitive system function especially for users accessing those systems remotely. FIs are also to be prudent in allowing access to its information assets remotely. Remote access to the FIs information assets should only be allowed from devices that have been secured according to the FI’s security standards.


  1. Internet of Things (IoT)

FIs are to maintain an inventory of all its IoT devices which will include information such as the networks which they are connected to and their physical locations. FIs should assess and implement processes and controls to mitigate risks posed by these assets, secure the network on which they are hosted and prevent unauthorized access to IoT devices. FIs should also monitor IoT devices for suspicious or anomalous system activities.


  1. Virtualisation

Strong access controls should be implemented to restrict administrative access to the hypervisor and host operating system as both control the guest operating systems and other components in the virtual environment. The FI should establish policies and standards to manage virtual images and snapshots. The standards should have the rigor to provide the same level of security as a non-virtualised IT environment and should include details that govern the security, creation, distribution, storage, use, retirement and destruction of virtual images and snapshots to protect these assets against unauthorised access or modification.


FIs should consider conducting analysis on their TRM Policies and assess their ability to meet the new requirements set out in the revised 2021 TRM Guidelines. For more help with Technology Risk Management, please do not hesitate to contact us.


[1] Quote attributed to famed Author, Isaac Asimov.

The information provided herein is for informational purposes only and should not be construed as professional or legal advice. While Credence Consulting Pte. Ltd. (Credence) believes that its sources are reliable, we make no representation or warranty as to the accuracy of the contents. You should contact your legal counsel to obtain advice with respect to any particular matter raised. The opinions expressed here or through our website are the opinions of the individual author only and are not legally binding, and may not reflect the opinions of Credence or any individual partner or director.