fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Revised Technology Risk Management Guidelines of Singapore

Revised Technology Risk Management Guidelines of Singapore
2021 Revised Technology Risk Management Guidelines of Singapore

The Revised Technology Risk Management Guidelines of Singapore 

After engaging with cyber security experts and using the feedback from a 2019 public consultation, the Monetary Authority of Singapore (MAS) has recently revised its Technology Risk Management Guidelines (“TRM Guidelines”). While there are some overlap between the revised 2021 Edition and  the previous 2013 Edition, the TRM guidelines have been developed to keep pace with the current trends in technology deployment and development. 

On January 28, 2021, MAS issued a new Technology Risk Management Guidelines which refreshed the 2013 Guidelines and heavily updated it. The new and updated guidelines apply to all Financial Institutions which include payment services licensees. 

There are three (3) key categories in the seven (7) key amendments to the 2021 TRM Guidelines and these are: Additional guidance on the roles and responsibilities of the Board of Directors and Senior Management; Stringent assessments of third party vendors and entities that access the FI’s IT systems; and Introduction of monitoring, testing, reporting and sharing of cyber threats within the financial ecosystem. The key changes are summarized below.

7 Key Amendments of Revised Guidelines of Singapore

Additional guidance on the roles and responsibilities of the Board of Directors and Senior Management

  1. Expanded roles and responsibilities for the Board of Directors and Senior Management

This amendment provides that it must be ensured by the Board and Senior Management that a Chief Information Officer (or its equivalent) and a Chief Information Security Officer (or its equivalent), possessing the required experience and expertise, are appointed to be accountable for managing technology and cyber risks (3.1.3, 2021 Guidelines). 

It is also imperative for the Board and Senior Management to include members that possess knowledge of cyber risk and technology (3.1.2, 2021 Guidelines). Furthemore, 2021 Guidelines also provides for an extended list of responsibilities of Board and Senior Management or technology risk management (3.1.7 & 3.1.8, 2021 Guidelines). 

More stringent assessments of third party vendors and entities that access the FI’s IT systems

  1. Assessment of tech vendors

Under the revised guidelines, FIs are now required to establish standards and procedures for vendor evaluation that is pegged to the criticality of the project deliverables to the FI (5.3.1, 2021 Guidelines). This assessment comprises a detailed analysis of the vendor’s software development, security practices, and quality assurance (5.3.2 to 5.3.4, 2021 Guidelines).

  1. Assessment of third parties’ suitability in connecting to Application Programming Interface (APIs) and governing third party’s API access
2021 Revised Technology Risk Management Guidelines of Singapore

Under the revised guidelines, FIs are also now required to develop a well-defined vetting process for assessing third party entities that wish to access their Application Programming Interface (“API”) and for governing the nature of the API access (6.4.2, 2021 Guidelines). This vetting process includes, amongst others, evaluating the third party’s nature of business, industry reputation, cyber security posture, and track record (6.4.2, 2021 Guidelines). 

Also Read: Compliance With Singapore Privacy Obligations; Made Easier!

Introduction of monitoring, testing, reporting and sharing of cyber threats within the financial ecosystem

  1. Cyber Threat Monitoring and Information Sharing

Under the Revised Technology Risk Management Guidelines of Singapore, FIs are now required to establish a process of collecting, processing and analysing cyber related information (12.1.1, 2021 Guidelines), and this information should be buttressed by cyber intelligence monitoring services (12.1.2, 2021 Guidelines). 

Furthermore, it is imperative for FIs to establish a security operations centre or acquire managed security services in order to facilitate the continuous monitoring and analysis of cyber events (12.2.1, 2021 Guidelines). 

  1. Cyber Incident Response and Management

Under the Revised Technology Risk Management Guidelines of Singapore, FIs are required to establish a Cyber Incident Response and Management plan to isolate and neutralize a cyber threat and to securely resume affected services. With this, FIs need to establish a process to investigate and identify the security or control deficiencies and lay out the communication, coordination and response procedures to address such threats (12.3.1 & 12.3.2, 2021 Guidelines).  

  1. Cyber Security Assessments

Under the Revised Technology Risk Management Guidelines of Singapore, it is imperative for FIs to assess their cyber security through vulnerability assessment and penetration testing. It dictates the minimal requirements of the vulnerability assessment which include the vulnerability discovery process, an identification of weak security configurations and open network ports and the extent of penetration testing to be carried out (13.1.2, 2021 Guidelines). 

Furthermore, the Penetration Testing under the 2021 Guidelines will now require FIs to perform a combination of blackbox and greybox testing (13.2, 2021 Guidelines). 

  1. Simulation of cyber attacks tactics, techniques and procedures

Under the Revised Technology Risk Management Guidelines of Singapore, it is now imperative for FIs to carry out regular scenario-based cyber exercises to validate their response and recovery plan. According to the provision, these exercises should involve the Senior Management, business functions, technical staff responsible for cyber threat detection, response and recovery and other relevant stakeholders (13.3.1 & 13.3.2, 2021 Guidelines). It also provides that these exercises should be in the form of an adversarial attack by a red team in order to test and validate the effectiveness of its cyber defence and response plan (13.4.1, 2021 Guidelines). Afterwards, it should be followed by a comprehensive remediation process(13.6.1, 2021 Guidelines).

What does this mean to Businesses in Singapore?

Monetary Authority of Singapore expects the Financial institutions and its businesses to comply with the Revised Technology Risk Management Guidelines of Singapore, particularly bearing in mind:

  • The need to conduct a stock take of information assets of the FI , as well as the processes and controls that are in place to manage these information assets according to their security classification or criticality
  • The need for a heightened awareness of certain cyber security risks

Whereas if there is failure to comply with these mandatory obligations, penalties will be imposed. 

Also Read: What You Need to Know About Singapore’s Data Sharing Arrangements

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us