In January 2021, the Monetary Authority of Singapore (MAS) released a revised version of its Technology Risk Management guidelines (TRM). These guidelines set out risk management principles and best practices to guide financial institutions on how to establish sound and robust technology risk governance and oversight, as well as maintain IT and cyber resilience.
This is to take into account the fast-changing nature of the cyber threat and financial institutions' increased dependency on cloud technologies and APIs. These revised guidelines incorporate the feedback received from the public consultation conducted in 2019. This guideline aims to support financial institutions by preparing them on the best practices framework for overseeing and addressing potential cyber risks and for their data protection. This applies to all banks, payment service providers, and insurance providers.
The key changes are as below:
- The board of directors and the senior management are responsible for implementing the risk management frameworks, internal controls, and key IT decisions.
- Financial institutions should adopt the framework after comprehensive application security testing.
- Financial institutions should vet their third parties that have access to their APIs by establishing thorough security standards for developing secure APIs and should adopt strong encryption standards.
- Financial institutions should ensure compliance with data loss prevention policies.
- Financial institutions should conduct regular cybersecurity assessment exercises to allow comprehensive stress testing for cyber resilience.
MAS TRM 2021 Compliance Updated on Warden
The following are new guidelines that have since been updated on Warden’s compliance library:
Clause 6.3.2: The financial institution should implement adequate security measures and enforce segregation of duties for software development, testing, and release functions in its DevSecOps Lifecycle.
Mapped rules include:
- (GCP) IAM Users Assigned to Service Account User or Service Account Token Creator Roles at Project Level
- (GCP) Separation of Duties Not Enforced while Assigning Service Account-Related Roles to Users
Clause 9.1.8: The financial institution should subject its service providers (who are given access to their information assets) to the same level of monitoring and access restrictions as on their employees (internal or contractors).
Mapped rules include:
- (AWS) S3 Bucket Publicly Accessible via Bucket Policy
- (AWS) SNS Topics Publicly Exposed
- (GCP) BigQuery Datasets Publicly Accessible
What This Means
- These Warden updates help to reveal gaps in enforcement of segregation of duties in DevSecOps processes, highlighted in 6.3.2.
- These Warden updates will also help review user access and monitor access restrictions, thereby decreasing your attack surface, and complying with the highlighted clause 9.1.8 above.
The revised guidelines are set out to focus on enhanced mitigation strategies for financial institutions on cyber threat intelligence and information sharing, stress testing of cyber defenses, virtualization security, and Internet of Things.
Dashboard - Warden Compliance Brief
MAS - TRM Compliance View
Generating A MAS -TRM Compliance Report
While digital transformation brings significant benefits to the financial ecosystem, it also increases a financial institution’s exposure to a range of technology risks. The techniques used by hackers are becoming increasingly sophisticated, and weak links in the interconnected financial ecosystem can be compromised to carry out fraudulent financial transactions, exfiltrate sensitive financial data or disrupt IT systems that support financial services. Hence, it is essential to have strict compliance benchmarks in place to ensure cyber resilience.
And as the compliance regulatory environment continues to evolve, Warden is constantly expanding its compliance library to serve customers across the globe. Recently, we added the following compliance benchmarks to Warden:
To stay updated with the latest additions to Warden’s compliance automation stack, you can visit our blog. You can also fill up this form to schedule a live demo to see Warden’s Cloud Security Posture Management (CSPM) and Cloud Identity and Entitlements Management (CIEM) capabilities.