What Are the MAS TRM Guidelines?

The MAS TRM Guidelines stand for the Monetary Authority of Singapore Technology Risk Management Guidelines. It helps guide financial institutions on how they should address technology risk management, including raising cybersecurity standards and strengthening their cyber resilience. 

The MAS expects financial institutions to comply with the TRM guidelines, which has recently been revised in response to the growing cyber threat landscape. 

Updated since 18th January 2021, the 2021 TRM guidelines include many of the standards from the earlier 2013 edition, with additional IT compliance standards included to help companies keep up with emerging technologies and cybersecurity best practices.

Some of the enhanced expectations that MAS has for financial institutions on their IT compliance standards include:

• Establishing a robust and sound technology risk governance framework and oversight
• Putting in place effective cyber surveillance
• Developing secure system and software
• Practicing adversarial attack simulation exercises
• Managing cyber risks posed by emerging technologies such as the Internet of Things (IoT)

Brief Overview of the MAS TRM Guidelines

The MAS TRM guidelines have twelve main sections and various appendices that review key areas within an organization, which include, but are not limited to; best practices for the board and senior management, best practices for third party vendor management, and system and software security development.

Board & Senior Management (BSM)

The 2021 edition introduces enhanced guidelines on BSM roles and responsibilities. For example, the BSM must now ensure that senior managers, like the IT manager and CIO, have the necessary experience and skills to oversee and properly manage cyber risks and technology. Within the BSM, it is also expected that all members should have extensive knowledge of the same cyber risks and security.

MAS also expects senior management and the board of directors to approve their financial institution’s risk tolerance position. Specifically, they need to take into account the organization’s risk appetite before making any critical IT decisions. 

Additionally, for financial organizations whose board members are not based in Singapore, it is expected that a select committee should oversee the Singapore-based office and perform the relevant roles and responsibilities highlighted in the guidelines.

Third Party Management

Third party vendors now have to undergo more stringent assessments before they can access the financial institution’s technology systems. Financial institutions are expected to assess and manage any third party vendors’ exposure to cyber threats and technology risks. They need to ensure that their third party vendor can fulfil all the regulatory requirements so that they will not compromise the organization’s cyber threat risk management.

The enhanced expectations on third party management also include the need for financial institutions to set up new standards and procedures when it comes to evaluating the suitability of the external provider. This includes accessing them on their ability to safeguard and recover data in an event of a cyberattack and more. 

Additionally, organizations should also vet through all information that the third party vendor accesses so as to prevent unwanted compromisation of confidential data and IT systems.

System and Software Development

Besides sharing key information regarding cyber risks in the financial sector, the new TRM guidelines also introduce testing and monitoring standards of IT systems. Financial institutions should regularly audit their technologies, making sure that proper security features like firewalls, data recovery and backup systems are in place. 

Other than internal networks, electronic device security should also be closely monitored. Company laptops, tablets and smartphones should have updated antivirus software, two-factor authentication, password management and firewall features to prevent any security incidents.

Professional MAS Compliance Providers & IT Consultants

MAS conducts frequent risk assessments of financial institutions in Singapore. Failure to comply with the TRM guidelines can lead to severe fines, revocation of licenses and irreversible reputation damage.

To ensure that your organization adheres to the strict IT compliance standards, we recommend consulting an expert MAS compliance provider and IT consultant like NEX CorporateIT.

IT compliance services address the dynamic cybersecurity and compliance environment effectively. They help your organization in developing a customized cybersecurity strategy that aligns your people, processes and technology with your business objectives and risks. 

If you are unsure if your organization is aligned to the TRM guidelines, professional IT consultants like NEX CorporateIT can conduct an in-depth gap analysis to help you understand how your organization is dealing with the revised IT compliance and regulatory requirements. 

NEX can help your organization determine the material gap between current security practices and controls compared to current requirements placed by MAS. Moreover, experienced IT consultants can help your organization prioritize a roadmap of actionable steps to take in order to close that gap as soon as possible.

Find out more about what NEX IT compliance services can do for your organization at NEX CorporateIT.