The Monetary Authority of Singapore maintains a comprehensive set of guidelines known as the MAS TRMMAS TRM (Technology Risk Management) Guidelines that help Financial Institutions (FIs) to improve their security posture against the most common cyber attacks. In this podcast, Horangi Principal Cybersecurity Consultant and resident MAS TRM expert Vincent Lim speaks to Director of Cyber Operations Mark Fuentes about the ins and outs of the Singapore regulation, plus the ways in which Horangi has helped many customers meet these regulatory requirements.
The following are the questions covered in the podcast recording:
Who actually has to worry about MAS TRM?
The purpose of MAS TRM is to enable FIs, which refers to any company under the jurisdiction of the MAS. This includes companies that facilitate online transactions, remittance firms, insurance firms, banks, crypto exchanges, payment gateways, Venture Capitalists, and others.
Depending on the nature of your business, there are actually specific supplementary guidelinesspecific supplementary guidelines targeted at the unique way your firm conducts business operations. The generic TRM guidelines look at security controls, people and business operations, technology, threat monitoring etc. Those specific flavors then expand on these in a tailored manner that fits each business type. These individual guidelines have all been published by MAS.
Does it help to just follow the general guidelines?
The generic TRM guidelines merely provide a strategic security direction for FIs to follow in the various domains including cybersecurity management, security operations, security monitoring, and threat handling.
Organizations that want to take their cybersecurity more seriously (which should be every company!) can refer to more specific guidelines on Business Continuity Management and Incident Response.
With how complicated MAS TRM looks, how challenging is it to be compliant with it?
Looking at compliance like it is a giant pile of stuff is the wrong approach. Tackle your compliance journey by category and phase. Break it down into different segments and it becomes less daunting. For customers who have been in this quandary, Horangi has helped to review business processes to assess the fastest way to match TRM requirements to unique organization needs.
MAS TRM is referred to as just guidelines, but why does everyone treat it like it's mandatory? Is it a must to comply with MAS TRM?
You are right. The TRM refers to a set of guidelines. However, when organizations need to apply for licenses such as the Digital Banking License or anything under the Payment Services Act, MAS TRM compliance is always a requirement.
This is why it always is a key criteria that needs to be satisfied.
As for how MAS actually checks the compliance, it is sometimes as simple as a self-assessment checklist. But do not be surprised if an auditor is sent to your organization to do a thorough compliance check.
Really, while MAS TRM was designed for FIsMAS TRM was designed for FIs, it shouldn’t be just applicable to FIs. This is a very robust set of guidelines that can be best practices for organizations across all industries,
What would you say to someone just starting out in their MAS TRM journey?
Start understanding internally your readiness to compliance. Once you know that, it is easy to work with a team of experts to baseline your technical documentation and security controls with respect to your unique business operations. You can always start with the basics with Penetration TestsPenetration Tests, Cybersecurity AssessmentsCybersecurity Assessments, and Table-Top Exercises. These would give you a good idea of the things you need to do to become compliant.
Ultimately, if this is a journey that your organization is ready to embark on, Horangi is always happy to have a chat with youhave a chat with you to look at timeline and streamlining resources. Above the security controls, policies, and documentation, we always like to say that context is king. You can read the guidelines all you want. But nothing matters until you understand how they apply to your organization.