MAS Technology Risk Final


On Jun. 21, MAS issued guidelines on technology risk management.


  • Addresses existing and emerging technology risks, by using prudent IT risk practice.
  • Enhanced from existing Internet banking and technology risk management guideline.
  • On Aug. 22 2013, MAS canceled 11 old technology-related guidelines as superseded.
  • New guidelines apply to all financial institutions, previous ones had focused on banks.
  • Requirements
  • Legal requirement a high level of reliability, availability, recoverability of key systems.
  • Firm to identify critical systems, unscheduled downtime in 12 months under 4 hours.
  • Requires firm to implement IT controls to protect customer data unauthorized access.
  • Inform MAS of IT incidents and malfunctions in 30 minutes to hour after discovering.
  • Report incidents of severe, widespread impact on operations, or service to customers.
  • On security breach, hacking, intrusion or denial of service attack on a critical system.
  • Or system which compromises security, or confidentiality of any customer information.
  • Mar. 2014 Revision
  • On Mar. 6, MAS revised rules for firms to notify IT incidents, effective on Jul. 1 2014.
  • Notify MAS as soon as possible, not later than one hour, from discovery of a incident.
  • Reference to licensed trade repositories, revises clearing house, includes derivatives.
  • Sep. 2018, Revisions
  • In Sep. 2018, MAS proposed measures to strengthen cyber resilience, see #46783.

Regulators SIN MAS
Entity Types B/D; Bank; IA; Inv Co; OTC; Servicer
Reference CMG-N02, 3/6/2014, Gd, Pr, 6/21/2013, PR, Gd P012 - 2012, P013 - 2012, 6/13/2012
Functions Operations; Outsourcing; Privacy; Technology
Countries Singapore
Products Banking; Corporate; Derivatives; Securities
Regions AP
Rule Type Final
Rule Date 6/21/2013
Effective Date 10/8/2018
Rule Id 5767
Linked to Rule :4132
Report Issue 10/15/2018
Report Section International

Last substantive update on 10/08/2018