[author: Wayne Scott]
Singapore’s parliament passed new laws this month that will grant the Monetary Authority of Singapore (MAS) new powers to enforce technology risk management requirements for financial institutions.
Failure to comply with the regulations can lead to fines of up to $1,000,000, or even more if several rules are broken or if an incident affects customers or other partners of the financial institution, for example.
Singapore has led the way in promoting better operational resilience and third-party risk management in the financial services industry. The new laws follow the publication of new Technology Risk Management (TRM) Guidelines last year, which required financial institutions to put in place risk mitigation and business continuity measures.
Technological risk regulation with escrow
Although not a new concept, it is essential that financial institutions consider the risks associated with an increasing reliance on third-party software. The TRM guidelines set out the detailed steps financial institutions should take to mitigate the associated risk, including specifically naming escrow agreements and verification testing as a viable mechanism to mitigate vendor default. Indeed, escrow continues to be the most recommended and proportionate way to regulate technology risk.
Software resiliency by design, no matter who develops mission-critical software
The guidelines also set out the responsibilities of the board of directors and senior management for evaluation and management in relation to the evaluation and management of the third-party network. And, states that when financial institutions develop their own software in-house, they must implement and follow strict security standards – further ensuring that even if a third-party vendor is not used, TRM requirements are still taken into account. account.
Setting an example for other governments to follow, the new laws go even further than before to regulate supply chain risks, giving the MAS the power to issue restraining orders to people found to be unfit to play key roles in the industry. , including those in risk management positions.
Make business continuity and risk management a priority
With increasingly complex technologies and the rapidly changing cyber threat landscape, Singapore’s approach serves as a model for other governments and regulators around the world to follow. For financial institutions, reviewing business continuity and risk management practices to ensure they comply with the guidelines should, as always, be a priority.