The Monetary Authority of Singapore (MAS) is both the central bank and chief financial regulator of Singapore. As such, they publish best practices (“Guidelines”) and legally binding regulations (“Notices”) regarding technology risk management and cyber hygiene. Mandatory requirements include:
- Notice on Technology Risk Management (FSM N21)
- Notice on Cyber Hygiene (FSM N22)
- Notice on Management of Outsourced Relevant Services for Banks (MAS Notice 658) and Merchant Banks (MAS Notice 1121)
The MAS Technology and Risk Management (TRM) Guidelines offer best practice standards that provide financial institutions with insight into how to implement the compliance obligations set out in the above Notices. Additionally, in September 2024, MAS established the Cyber and Technology Resilience Experts (CTREX) Panel to bolster technology and cybersecurity best practices, with the aim of improving the operational resilience of Singapore’s financial sector.
Who Must Comply with MAS Cybersecurity and Risk Management Notices?
Who Must Comply with MAS Notices
The Monetary Authority of Singapore’s Notice on Technology Risk Management (MAS TRM) and Notice on Cyber Hygiene are legally binding and apply to all financial institutions operating in Singapore, including:
- Banks
- Insurance companies
- Fintech firms
- Payment service providers
- Venture capital managers
And more, comprising all financial institutions regulated by MAS.
Penalties for Not Complying with MAS Notices
With the passing of the Financial Services and Markets (FSM) Bill in 2022, MAS was given consolidated authority over Singaporean financial institutions, which included applying penalties for non-compliance with relevant Regulations and Notices. Under the FSM Bill, the maximum penalty for data breaches under these laws is $1 million dollars, and more if a data breach reveals multiple compliance infractions.
The MAS Notice on Technology Risk Management (TRM)
The MAS Notice on Technology Risk Management (TRM) went into effect on May 10, 2024. It outlines several key requirements for financial entities in Singapore:
- Implement a framework and process to identify critical systems.
- Make all reasonable efforts to maintain high availability for critical systems.
- Establish a recovery time objective (RTO) of no more than 4 hours for each critical system.
- Notify the Authority no more than one hour after discovering a relevant incident.
- Submit a root cause and analysis report to the Authority no more than 14 days from the incident’s discovery.
- Implement IT controls to protect customer information against unauthorized access or disclosure.
Per the Monetary Authority of Singapore’s website, the Notice on Technology Risk Management (TRM) “sets out requirements for a high level of reliability, availability and recoverability of critical IT systems and to implement IT controls to protect customer information from unauthorised access or disclosure.”
Note: MAS released its Technology Risk Management (TRM) Guidelines in January 2021. These guidelines arm financial institutions in Singapore with the principles and best practices they need to create a robust technology risk management program with proper governance and oversight. While these are helpful for implementing the cybersecurity requirements and risk management requirements (“Notices”) outlined by MAS, the Guidelines are not of themselves mandatory.
The MAS Notice on Cyber Hygiene
Also effective May 10, 2024, the MAS Notice on Cyber Hygiene “sets out cyber security requirements on securing administrative accounts, applying security patching, establishing baseline security standards, deploying network security devices, implementing anti-malware measures and strengthening user authentication,” according to the MAS website.
Under the Notice on Cyber Hygiene, financial institutions operating within Singapore are required to implement the following cyber hygiene practices:
- Secure every administrative account to prevent unauthorized access. This includes relevant operating systems, databases, applications, security appliances, and network devices.
- Apply patches to vulnerabilities in every system. Patches must be applied in time to negate the risks posed.
- Create a written set of cybersecurity standards for every system and require compliance. Where compliance is not possible, compensating security requirements must be put in place to mitigate the resulting risk.
- Implement network perimeter controls to restrict unauthorized traffic.
- Implement one or two malware protection measures on every system.
- Implement MFA on all administrative accounts (operating systems, databases, applications, security appliances, and network devices) and on any accounts used by the administrator to access customer information via the Internet.
The MAS Notices on Management of Outsourced Services for Banks
Third-party risk is one of the most recent issues addressed formally by the Monetary Authority of Singapore. On December 11, 2024, two additional Notices went into effect:
MAS Notice 658 outlines mandatory requirements for banks regarding third-party risk management, including that they “assess, manage and monitor any risk to the bank that may arise from obtaining or receiving each of these relevant services.”
MAS Notice 1121 requires the same – that financial institutions assess, manage, and monitor any third-party risk to the bank – but from merchant banks.
The MAS Advisory on Addressing the Cybersecurity Risks Associated with Quantum
On Feb 202, 2024, MAS published an advisory addressing the risk of quantum computing on the financial sector in Singapore. The advisory cited the potential of cryptographically relevant quantum computers (CRQCs) to “break some of the commonly used encryption and digital signature algorithms” and called for financial entities to, among other things:
- Monitor ongoing quantum computing developments.
- Ensure that senior management and third-party vendors are made aware of the risks.
- Work closely with third-party vendors to assess IT supply chain risks arising from quantum threats.
- Participate in information-sharing groups for collective mitigation.
How Tripwire Can Help with MAS Cybersecurity Compliance
Fortra’s Tripwire IT compliance solutions and strategies can help financial institutions meet cybersecurity mandates, mitigate technology and third-party risks, and harden their systems against cybersecurity risks now and in the future. Together, Fortra and Tripwire provide a suite of security tools that specifically address MAS Notice requirements:
- Establish a recovery time objective (RTO) (MAS TRM): Automated Data Backup and File Replication to help you get back online quickly.
- Submit a root cause and analysis report (MAS TRM):
- Secure administrator accounts to prevent unauthorized access (MAS Cyber Hygiene): Identity and Access Management (IAM) solutions to secure access.
- Apply patches to vulnerabilities (MAS Cyber Hygiene): Vulnerability Management discovers vulnerabilities and applies patches on a routine basis.
- Implement network perimeter controls (MAS Cyber Hygiene): Extended Detection and Response provides advanced, behavioral-based detection for all network traffic.
- Implement malware protection measures (MAS Cyber Hygiene): Tripwire Enterprise notifies users of configuration alteration, giving early warning of a ransomware attack in progress.
- Implement MFA on all administrator accounts (MAS Cyber Hygiene): Authentication Manager for IBM i makes it easy to implement multi-factor authentication.
- Address third-party risk (MAS Notices 658 and 1121): A Security Configuration Management (SCM) tool ensures that security policies across your entire attack surface remain in compliance.
To learn more about how Tripwire helps you meet regulatory compliance requirements and guidelines, check out our IT Compliance Solutions & Strategies or request a live demo today.
