As part of our ‘Spotlight on’ series, we have been delving into the topic of operational resilience and third-party risk management within financial institutions (FIs), exploring what the latest guidelines and proposals released by regulators across the globe mean for businesses across the sector.
In this installment, Simon Fieldhouse, global managing director – Software Resilience, offers his insight into the latest version of the Monetary Authority of Singapore’s (MAS) Technology Risk Management (TRM) guidelines, published earlier this year.
What do the guidelines say?
Following a public consultation in 2019 and engagement with professionals across the cyber security industry, the MAS revised its 2013 guidelines.
As with the UK’s PRA rules and the EU’s Digital Operational Resilience Act (DORA) proposals, the guidelines recognise that the technologies and infrastructure adopted across the sector have grown in complexity over the years. They also recognise how the cyber threat landscape is evolving rapidly – signalling that cyber and software resilience are converging into one, to create what might be referred to in future as ‘digital resilience’.
With this in mind, the new guidelines require FIs to meet the following requirements:
- Oversight of all third-party providers
- System and software development
- Guidance on board and senior management roles
Oversight of all third-party providers
The MAS recognising that risk must be considered from all third parties – not just outsourcing – is one of the biggest, if not the, most important updates to the guidelines. As reliance on third party software and its availability continues to increase, FIs must ensure that all providers they work with have the necessary risk mitigation and business continuity measures in place.
While the focus on business continuity and risk management in relation to third party technology isn't a novel concept for a financial regulator, the MAS has gone a step further to outline specific solutions FIs are able to adopt to ensure their adherence to regulatory requirements.
The MAS specifically outlines FIs must follow ensure that software escrow agreements and verification testing are built into contracts before entering into a third-party agreement. This means ensuring that any third party you work with meets a high standard of compliance and due diligence when it comes to the security and resilience of their service, no matter what it is. Suitable alternatives to replace the software should also be identified if an escrow agreement could not be implemented.
System and software development
On the flipside, MAS has also acknowledged how FIs are increasingly developing their own software in-house, meaning that there needs to be a range of practices followed to ensure these systems and software remain resilient and secure. In the latest version of the TRM, the MAS sets out that FIs should implement and follow strict standards around secure coding, source code review and application security testing.
Board and senior management roles
The continuous management and assessment of the supply chain and third-party networks will be crucial in ensuring FIs can keep up with the evolving nature of technology and factors that could risk the availability and integrity of services.
However, to drive this, there must be clarity on the roles and responsibilities of the board of directions and senior management. To ensure that processes are successful on an ongoing basis, the TRM, both in 2013 and 2021, has required the board to ensure the TRM framework is established and maintained.
Updates to the guidance this year focus on ensuring that a chief information officer and a chief information security officer are appointed to the board. But this responsibility isn’t just confined to these board members – every staff member should be trained on technological risk to ensure the FI can keep pace with developments.
Keeping pace with technological change and risks
Technology and its associated risks will never stand still, which means that regulators and businesses need to keep pace. The guidelines set out by the MAS are world-leading in many ways and much like the UK, Singapore is deeply committed to embracing the technologies of the future while keeping their citizens safe and secure.
This is backed by recent negotiations between Singapore and the UK on a Digital Trade Agreement to support the growth of high tech markets, and builds on ambitions to lead in setting global digital standards. As a result, the UK and Singapore have since established a new financial partnership to strengthen cooperation on financial services regulation, deepen cooperation on growth sectors like fintech and lawtech, as well as enhancing bilateral cyber security cooperation and building collective cyber capabilities.
These commitments and decision to signpost the use of escrow agreements for FIs should act as a battle cry for regulators across the world to follow suit. While some already are, including global counterparts in the UK and Europe, widespread attention on this is needed to ensure that FIs across the globe can continue to innovate soundly.
Simon Fieldhouse, Global Managing Director - Software Resilience, NCC Group