Knowledge Highlights 9 February 2026
MAS consults on proposed amendments to notices on technology risk management
On 10 June 2026, the Monetary Authority of Singapore (“MAS”) published its Consultation Paper on Proposed Amendments to Notices on Technology Risk Management (“Consultation Paper”). The Consultation Paper seeks views on proposed amendments to the MAS Notices on Technology Risk Management (FSM-N03, FSM-N05, FSM-N07, FSM-N09, FSM-N11, FSM-N13, FSM-N17, FSM-N19, FSM-N21, FSM-N23, and FSM-N25) (“Notices”) to reinforce the importance of the stipulated risk management measures and strengthen the technology resilience of financial institutions (“FIs”) amid the increasing digitalisation and evolving risk landscape. The consultation closes on 31 July 2026.
The proposed amendments relate to IT asset management, IT risk assessment and monitoring, capacity planning and management, change management controls, continuous system and security monitoring, immutable and offline data backup, and incident management.
IT asset management
IT asset management involves the planning, tracking, handling, and monitoring of an organisation’s IT assets to maintain effective control and oversight across their lifecycle. A key requirement under IT asset management is the maintenance of a proper inventory of IT assets. This provides FIs with an accurate view of their IT operating environment and supports other IT processes.
MAS proposes that FIs maintain a comprehensive and up-to-date inventory of all their IT assets, including hardware, software, cryptographic assets, and open-source and third-party components. Comments are sought on the proposed scope of the inventory and the information to be recorded and maintained by FIs.
IT risk assessment and monitoring
IT risk assessment and monitoring are essential for enabling effective risk management in FIs. In conducting IT risk assessments, FIs must consider the threats and vulnerabilities that their systems may be subject to, including those associated with their IT supply chains and the use of artificial intelligence, and assess the risks that could arise from these threats and vulnerabilities, including the potential likelihood and impact of such risks affecting the FI’s operations or the services provided to its customers (“identified risks”), in accordance with the FI’s established risk assessment criteria.
MAS proposes that FIs establish and maintain a framework and process to conduct regular IT risk assessments that cover these areas and implement risk mitigation measures that are commensurate with the identified risks (“risk mitigation measures”).
MAS also proposes that FIs maintain an IT risk register that records (i) the material identified risks; (ii) the risk owners who will be accountable for managing the material identified risks; and (iii) the measures to mitigate the material identified risks. Additionally, FIs must establish and maintain key risk indicators to effectively monitor the material identified risks and the effectiveness of the measures to mitigate the material identified risks.
Capacity planning and management
MAS proposes that FIs establish a framework and process to ensure that the capacity of all critical systems, and the systems that the critical systems depend on, are sufficient to meet business needs, including projected business growth and potential surges in customer traffic. MAS also seeks comments on whether a specific frequency should be prescribed for capacity planning.
Change management controls
MAS has observed that a significant number of IT incidents in FIs were attributed to poor change management.
MAS proposes requiring FIs to implement effective controls to prevent unauthorised system changes so as to maintain system integrity and availability.
FIs are also required to establish and maintain a framework and process to assess the risks arising from proposed changes to their systems prior to implementation. Such assessments must evaluate the potential impact arising from the failure or incorrect implementation of the proposed changes, including any effects on upstream and downstream systems. FIs must implement risk mitigation measures that are commensurate with the risks identified.
FIs must also carry out testing for all changes to critical systems before they are implemented in the production environment, with effective change recovery measures in place to recover any critical system affected by any issue arising during or after change implementation.
Continuous system and security monitoring
MAS has observed that a number of major IT incidents resulted from inadequate monitoring, delayed detection, or slow response in rectifying the underlying causes, and could have been averted through timely detection and response.
MAS proposes that FIs establish and maintain a framework and process to continuously monitor all critical systems for timely detection and response to issues affecting the system performance or security. FIs must ensure that the framework and process include, at a minimum, (i) defined indicators and thresholds that trigger alerts; and (ii) response procedures and remedial actions that are commensurate with the nature and potential impact of the identified issue.
Immutable and offline data backup
System bugs, cyber-attacks, and human errors can lead to loss and corruption of data that is essential to the delivery of FIs’ business services.
MAS proposes a requirement for FIs to maintain an immutable or offline backup of data that is crucial for supporting the FI’s relevant business services to enable timely and reliable resumption of such services in the event the production data is corrupted, tampered with, or made inaccessible.
MAS also seeks views on whether to prescribe the backup frequency for immutable and offline data backup.
Incident management
MAS proposes that FIs establish an incident management framework and process, with clearly defined roles and responsibilities for managing and responding to IT incidents, including procedures to collect and preserve evidence for incident investigation, stakeholder and customer communication, and prompt notification to FIs’ senior management upon identification of the IT incident to enable informed decision-making.
Monitoring of unscheduled downtime
The current Notices require FIs to ensure that the total unscheduled downtime for each critical system does not exceed four hours within any 12-month period. Accordingly, FIs are required to monitor and document any such downtime that affects their operations or services to customers. However, MAS has observed that some FIs did not account for partial and intermittent disruptions, undermining the intent of this requirement.
MAS therefore proposes to make it clear and explicit in the Notices that any “partial or intermittent disruption” must be included in the computation of unscheduled downtime for critical systems.
Implementation date
MAS proposes that the requirements set out in the revised Notices shall take effect 12 months after the date that the finalised Notices are published.
Reference materials
The Consultation Paper is available on the MAS website www.mas.gov.sg.
