What is the MAS-TRM?
In June 2013, the Monetary Authority Singapore (MAS) recognised the need to regulate rampant technological disruption in the financial industry as the evolution of IT has become a critical component within financial institutions (FI).
The Technology Risk Management (TRM) Guidelines were what the MAS proposed in response to the digital disruptions, in order to guide FIs into the following:
- Establishing a sound and robust technology risk management framework
- Strengthening system security, reliability, resiliency, and recoverability
- Deploying strong authentication to protect customer data, transactions and systems
On May 17, 2018, the Chief Cyber Security Officer of the MAS indicated in his speech that they are currently reviewing the TRM Guidelines and intend to issue a Notice on Cyber Hygiene so as to boost cyber resilience.
In light of the upcoming changes, Horangi and ICE71 co-organized a panel discussion in July, in hopes to provide industry insight into the challenges that medium-sized FIs and Fintechs would most likely face, and plausible solutions to overcome them.
Changes to Cyber Hygiene
MAS recognises the key role of cyber hygiene in being one of the cornerstones of robust cybersecurity in the financial industry, and how this golden practice obviates a large majority of cybersecurity incidents from happening annually. Thus, they intend to issue a notice on cyber hygiene which would require FIs in Singapore to implement a set of fundamental controls in order to raise the industry level of cyber resilience.
FIs can expect to be required to adopt several cyber hygiene practices such as strong authentication, controlled use of administrative privileges, and proper patch management.
Challenges to the Changes
1. Complying with the Guidelines
The MAS TRM Guidelines are essentially "size blind". This means that a fintech startup with five full-time employees would be expected to match the level of control and management that an established bank would easily be able to provide. Medium-sized FIs and Fintech companies are at a disadvantage as they are small in size and limited in resources.
For a traditional financial entity, the process of building these standards from scratch could take an arduous three to six months, and would require approximately 17 different departments in a bank to establish a working understanding of how to configure the controls internally. Having the luxury of manpower, employees are able to cross check each others’ work, so as to ensure that all the necessary controls are in place.
For a startup however, employees are constantly wearing multiple hats depending on the present needs of the company, making it impossible for cross checks to occur.
The good news is that the MAS have been upfront with what they require from FIs, giving them sufficient time to get started on complying. FIs should therefore look towards automating some of their practices to ensure that they are able to build trust and deliver an equally high standard of service to their clients.
2. Balancing Security and Compliance Effectively
ComplianceCompliance is about doing the bare minimum in order to be allowed to stay in the game, but security is what keeps you thriving in it. Both are essential in doing great business.
Security practices should always be built with the customer in mind. Having a safe and secure system in place builds confidence and trust amongst your customers, and makes them want to do business with your company.
Having placed a strong emphasis on security right from the beginning has enabled the success of noteworthy companies like PayPal, who have established an impenetrable level of trust with their customers (both sellers and buyers), and given them an added competitive advantage.
Solution: Compliance in a Cost-Effective Manner
Cybersecurity should not be seen as a technical or isolated problem. Rather, it should be approached just like any other problem that arises in the business. If the issue is not handled properly, it could have tremendous implications on the business -- cyber attacks can be costly to a businesscyber attacks can be costly to a business.
For the longevity and prosperity of the business, business owners need to incorporate cybersecurity managementcybersecurity management as part of their business strategy. To avoid fear-based spending and make more strategic investments, it is also crucial to have a competent partner who understands the business and is able to navigate the brutal world of regulation and hackers, alongside the company.
Although such changes may seem costly and tedious at first, cybersecuritycybersecurity laws are ultimately beneficial to everyone. Having these regulations creates an ecosystem where innovation and protection is balanced. Companies should view regulation as less of a cost and more of an investment in building trust within their consumer base, while ensuring the long-term success of their business.