Are There Any Specific Requirements Related to Technology Risk Management and Cybersecurity?

Introduction to Technology and Cybersecurity Requirements

The financial sector is one of the industries that are becoming heavily dependent on technology in delivering services, operations and storage of sensitive information in the digital age. This dependency is associated with opportunities as well as great dangers. With an evolution of increasingly advanced and regular cyber threats, the financial institution, such as the fund management companies, have to enhance their security measures to ensure the safety of the stakeholders and sustain the trust within the financial environment.

Due to the awareness of these risks, the Monetary Authority of Singapore (MAS) has issued clear and strong MAS technology risk management requirements for financial institutions. The purpose of these requirements is to provide a proactive and robust attitude of financial institutions to the process of managing technological vulnerabilities and protecting customer information. The following article provides an insight into the key pillars of MAS regulatory expectations in this sphere, which concern governance, identification of risks, cyber hygiene, responding to incidents, and compliance requirements.

Governance and Accountability in Technology Risk Management

Among the keystones of the framework of MAS is the notion that the technology risk has to be managed at the highest ranks of a financial institution. This implies that board of directors and senior management are not only required to be knowledgeable of technology-related risks, but also to incorporate them into the overall risk management strategy of an enterprise.

MAS underlines that accountability is supposed to be evident and properly documented. IT risk management policies should be approved by the board and senior executives should make sure that sufficient resources are allocated to the process of maintaining a secure IT environment, including human and technological ones. An IT risk manager, a Chief Information Officer (CIO) or a Chief Technology Officer (CTO) is commonly selected to run the day-to-day operations, assisted by IT risk teams and cyber security experts.

Moreover, technology and cyber risks have to be addressed through internal audits in case the governance structures are operational. Good governance also means that fund management companies should align their internal structures with industry-best practices, i.e., ISO 27001 or NIST cybersecurity guidelines.

By putting the technology risk in the area of leadership control, MAS will guarantee that cybersecurity will not be managed as a purely technical challenge, but as a business-level priority.

Risk Identification, Assessment, and Management Practices

MAS stipulates that financial institutions should perform a periodic review of their IT systems and processes to determine the weaknesses and possible failure points. It involves the examination of both inside risks (e.g., system setting, program errors, authorizations) and outside dangers (e.g., hacking, phishing, ransomware assaults).

In conjunction with risk identification, there must be an effective risk classification system which defines the category of systems and data according to criticality. As an example, systems which are considered mission-critical and require elevated controls would include systems such as core fund administration platform or client onboarding system.

After identification, companies should deploy ample risk mitigation controls such as network security architecture, data encryption, access management and secure coding practices. The systems that process confidential information must have multi-layered security measures, including firewall, intrusion detection, and endpoint security.

MAS also promotes the use of penetration testing and vulnerability assessment to be conducted on regular basis. Such tests involve simulated cyberattacks to identify vulnerable areas in the firms defense so that the institutions can correct the problem before it is used by malicious individuals.

Additionally, fund managers must noticeably evaluate the technology risks of the third-party vendors, particularly those managing cloud services, data storage or IT infrastructure. MAS stipulates that agreements relating to such outsourcing must contain cybersecurity responsibility, incident reporting and audit rights.

Cyber Hygiene Standards and Technical Controls

To establish a minimum level of security standards within the financial industry, MAS has initiated the Cyber Hygiene Notice that will require all licensed financial institutions, such as fund management companies, to implement particular technical controls.

Some of the requirements firms have to comply with under this Notice include:

• Setting up of multi-factor authentication (MFA) on systems that have administrative access or access to sensitive customer information.
• Patch management to cover the known software vulnerabilities within reasonable time.
• Performing anti-malware protection of end-user systems and systems of critical importance.
• Limiting privileged access rights according to the job responsibilities and periodical review of the same.
• Implementing adequate security logging and monitoring to identify abnormal or unauthorized activities.

These measures form part of the cybersecurity compliance standards for fund management companies in Singapore, helping institutions become resilient and reduce the chances of a successful cyberattack.

MAS anticipates firms to extend beyond compliance, and integrate these standards within their system development lifecycle (SDLC), software update, and IT architecture. As an illustration, new applications are expected to be developed according to secure coding concepts, whereas cloud-based platforms are to be equipped with effective identity management practices.

Lack of compliance with cyber hygiene will lead to regulatory measures such as issuance of formal warnings or imposition of financial fines, particularly when the non-compliance has helped to perpetrate a data breach or service outage.

Incident Response and Cybersecurity Preparedness

Under MAS, financial institutions are required to implement and keep a Technology Incident Response and Recovery Plan. This plan defines how a firm should identify, react to and recuperate technology or cyber incidences. It includes escalation procedures, communication steps with MAS, and mitigation strategies. MAS also expects institutions to maintain ongoing testing and updates as part of the regulatory expectations for incident response and cyber hygiene, ensuring preparedness and quick recovery from potential cyber threats.

The plan must include:

• Incident identification and escalation procedures within appropriate time.
• Well-est Ability of internal response teams.
• Communication procedures to inform MAS and stakeholders concerned.
• Containment and mitigation steps on the incident impact.
• After incident reviews to examine the roots and put in place corrective actions.

A cyber incident may lead to broad implications such as loss of investor confidence, data loss or theft, or regulatory investigation in case of fund management companies. The response plan should therefore be adequately tested using simulated exercises and revision of the lessons learned.

There is also MAS which requires that material incidents are reported to the Authority within one hour of their detection. This is applicable to the occurrences that are material in nature and affect the operations, data integrity or client services. Reporting MAS on time allows it to evaluate the possible effect on the rest of the financial system and plan a supervisory reaction in case of need.

In 2021, MAS also inaugurated the Cyber Security Advisory Panel (CSAP), which consists of international industry practitioners who will advise on ways to strengthen the cyber resilience of the financial sector in Singapore. Their suggestions tend to mould regulatory anticipations concerning incident preparation and recuperation plans.

Compliance, Audits, and Regulatory Expectations

Cybersecurity and technology risk management are not optional or niche issues anymore but lie at the center of regulatory expectations. MAS has incorporated them in licensing assessments, regular inspections and thematic reviews of financial institutions.

During its supervisory process, MAS examines if a firm has in place an effective technology risk governance framework. This involves assessment of the internal controls, employee education, vendor management and continuous monitoring of risks. Those firms which do not meet the expectations can receive instructions on improving their cybersecurity posture, or be enforced in case non-compliance is identified as negligent.

Fund management firms should also keep adequate records of policies, procedures, audit and testing outcomes. Such records can be demanded during an inspection or in case of a technology incident. It should be checked through periodic internal or external audits whether the requirements of MAS Technology RiskManagement Guidelines and the Cyber Hygiene Notice are met.

To keep up with the ever-changing threat landscape, MAS promotes institutions to join sector-wide cybersecurity efforts, including information-sharing platforms, cyber threat intelligence (CTI) partnerships, and industry forums. The Authority is also open to innovation promoting activities, such as the Financial Services Cybersecurity Roundtable that contributes to the future developments of regulation.

In short, MAS demands that fund managers and other financial institutions should show a culture of cyber awareness, preparedness and resilience- and not regulatory box-ticking.

Conclusion

Cyber threats are increasing in volume and sophistication, and MAS remains a step ahead in raising the regulatory bar to safeguard the financial sector in Singapore. To the fund management companies, the technology risk management and cybersecurity requirements by MAS are not just a regulatory requirement, but also a business continuity, investor confidence and operational resilience measure.

Using its frameworks, MAS delivers a strong signal: cybersecurity is a collective responsibility – the boardroom to the server room. Financial institutions can achieve their regulatory requirements as well as their responsibility towards their clients and markets by incorporating effective governance frameworks, technical control, and incident preparedness plans.

The consequences of not doing so may include data leakage, reputational loss as well as regulatory sanction, which is the last thing any fund manager needs in the age of digitalisation.