MAS proposes revisions to Technology Risk Management Guidelines and Business Continuity Management Guidelines

28 March 2019

On 7 March 2019, the Monetary Authority of Singapore (“MAS”) released two consultation papers seeking feedback on proposed amendments to the Technology Risk Management Guidelines (“TRM Guidelines”) and the Business Continuity Management Guidelines (“BCM Guidelines”). The proposed revisions will require financial institutions (“FIs”) to put in place enhanced measures to strengthen operational resilience, in view of the rapidly changing physical and cyber threat landscape. The consultation closes on 8 April 2019.

TRM Guidelines

Published in 2013, the TRM Guidelines set out TRM principles and best practices for the financial sector. The proposed amendments to the TRM Guidelines focus on technology risk governance and oversight, software development and management, emerging technologies and cyber resilience.

Guidance on technology risk governance and oversight

Under proposed revisions to the TRM Guidelines, both the board of directors and senior management should have members with the knowledge to understand and manage technology risks, including risks posed by cyber threats. They should also cultivate a strong culture of TRM and awareness at all levels of staff within the FI.

The revised TRM Guidelines will also spell out the responsibilities of the board of directors (or a committee delegated by it) and senior management in relation to the governance and oversight of technology risk. These include the establishment and maintenance of a sound and robust risk management framework to manage technology risks.

Secure software development and management

The revised TRM Guidelines will also have specific provisions relating to Agile development methods and DevOps practices, which many FIs have adopted to facilitate rapid software delivery. These include the following:

• Agile software development: An FI when adopting Agile software development methods should continue to incorporate the necessary security practices throughout its Agile process to ensure that the security of the application is not compromised. During Agile software development, the FI should continue to ensure that secure coding, source code review and application security testing standards are applied.
• DevOps management: An FI should ensure that its DevOps activities and processes are aligned with its system development life cycle (SDLC) framework and IT service management processes (e.g. configuration management, change management and software release management). The FI should also enforce segregation of duties for the development, testing and operations functions in its DevOps processes, and ensure the timely logging and review of DevOps activities.

Managing risks arising from emerging technologies

It is also proposed that the TRM Guidelines be revised to include additional guidance to manage risks arising from emerging technologies, including the following:

• Virtualisation security: FIs should ensure that all components of a virtualisation solution (e.g. the hypervisor, host operating system and guest operating system) have the same level of security and resilience as a non-virtualised IT environment. To restrict administrative access to the hypervisor and host operating system, strong access controls should be implemented. The FI should establish policies and standards to manage virtual machines images and snapshots to protect these assets against unauthorised access or modification.
• Internet of Things: FIs should assess and implement processes and controls to mitigate risks arising from Internet of Things (“IoT”). FIs should maintain an inventory of all their IoT devices, the networks which they are connected to and their physical locations. Further, the network that hosts IoT devices should be secured using strong authentication and network access controls to limit the cyber attack surface.

Strengthening cyber resilience

The revised TRM Guidelines will support a defence-in-depth approach to strengthening cyber resilience. The proposed revisions include guidance on cyber surveillance, cyber security assessment and testing, and cyber incident management. For example, FIs should carry out penetration testing to obtain an in-depth evaluation of their cyber security defences. A combination of blackbox and greybox testing should be conducted for online financial services. FIs will also be encouraged to perform an adversarial attack simulation exercise to test and validate the effectiveness of their cyber defence and response plan against prevalent cyber threats.

BCM Guidelines

The BCM Guidelines were first issued to the financial industry in June 2003, focusing on the organisational response and recovery process to minimise the impact of business disruptions. In January 2006, an addendum was issued to provide further guidance on pandemic and physical security measures.

The proposed revisions to the BCM Guidelines will raise standards for FIs in the development of business continuity plans that will better account for interdependencies across FIs’ operational units and linkages with external service providers. MAS expects FIs to adopt the BCM Guidelines within one year following its publication. The revised BCM Guidelines will also supersede MAS Circular SRD BCM 01/2006.

Revised definition of “business function”

The current BCM Guidelines set out MAS’ expectations of how an FI is to identify business functions that are critical and prioritise them for recovery in a disruption. Such functions could include completing payment instructions, clearing and settling transactions, and fulfilling end-of-day funding and collateral obligations.

MAS has observed that FIs have established business functions and conducted BCM planning along organisational lines (e.g. by department or unit). However, where the delivery of a service depends on processes performed by several different units, this could result in omissions in considering dependencies between processes. MAS thus proposes to revise the definition of business function to a service that an FI ultimately provides to its customers. Delivery of a service will likely require a number of business processes to be performed. One example given in the MAS consultation paper is the “securities trading” business function of a brokerage. This function could entail the following processes: (a) trade initiation; (b) trade execution; (c) trade capture; (d) trade validation; (e) trade agreement; (f) trade settlement; and (g) trade reconciliation. Each process, in turn, requires specific resources and expertise (e.g. IT systems, personnel) to be performed.

In addition to defining recovery time objectives (“RTO”) and recovery point objectives (“RPO”) at the business function level as set out in the current BCM Guidelines, an FI should set a minimum performance level for each business function. The minimum performance level, RTO and RPO would constitute the business continuity objectives for each business function.

Additional responsibilities of board of directors and senior management

The revised BCM Guidelines will emphasise the role of the board of directors and senior management in demonstrating their leadership and commitment in building an organisational culture that embeds business continuity as part of an FI’s business-as-usual (“BAU”) considerations and day-to-day risk management.

Among other things, MAS proposes that the board of directors take on additional responsibilities to:

• review and endorse, at least annually, the FI’s BCM, and ensure that the framework comprises comprehensive policies, processes and procedures, appropriate oversight and escalation elements;
• review and endorse, at least annually, the FI’s critical business functions, business continuity objectives and the level of residual risk it is willing to accept after the relevant business continuity measures have been put in place; and 
• satisfy itself that adequate resources, including budget, technology, and staff are allocated to facilitate the implementation of an effective BCM.

Revisions to scope of business continuity plans

The proposed BCM Guidelines will expect FIs to have in place end-to-end business continuity plans for each service that is delivered to their customers, thereby drawing out any internal or external dependencies. Among other things, the proposals include requiring FIs to review and, where necessary, enhance the robustness and comprehensiveness of their business continuity plans by covering the full recovery process for a given business function from immediate response to the resumption of business functions to minimum levels, and the subsequent restoration to BAU levels.

Enhanced measures relating to BCM tests and audits

MAS states that it continues to expect FIs to conduct different types of testing to gain confidence in their ability to continue to operate reliably, responsively and efficiently as planned. Specifically, an FI should, at a minimum, conduct annually a crisis management and communications exercise involving all crisis management team members and their alternates and a test relating to the business continuity plan for each critical business function.

In addition, MAS proposes that an FI: (i) conduct BCM audits through a unit independent of the staff involved in the planning and execution of the BCM itself (e.g. internal audit), (ii) check that the scope of BCM audits is sufficiently comprehensive and includes all critical business functions, and (iii) develop a BCM audit plan, to be approved by the FI’s Audit Committee, comprising auditable areas for the coming year.

Reference materials

The following materials are available on the MAS website www.mas.gov.sg:

• Media release 
• Consultation Paper on Proposed Revisions to Technology Risk Management Guidelines 
• Consultation Paper on Proposed Revisions to Guidelines on Business Continuity Management

Download PDF