MAS Technology Risk Final
On Jun. 21, MAS issued guidelines on technology risk management.
- Addresses existing and emerging technology risks, by using prudent IT risk practice.
- Enhanced from existing Internet banking and technology risk management guideline.
- On Aug. 22 2013, MAS canceled 11 old technology-related guidelines as superseded.
- New guidelines apply to all financial institutions, previous ones had focused on banks.
- Legal requirement a high level of reliability, availability, recoverability of key systems.
- Firm to identify critical systems, unscheduled downtime in 12 months under 4 hours.
- Requires firm to implement IT controls to protect customer data unauthorized access.
- Inform MAS of IT incidents and malfunctions in 30 minutes to hour after discovering.
- Report incidents of severe, widespread impact on operations, or service to customers.
- On security breach, hacking, intrusion or denial of service attack on a critical system.
- Or system which compromises security, or confidentiality of any customer information.
- Mar. 2014 Revision
- On Mar. 6, MAS revised rules for firms to notify IT incidents, effective on Jul. 1 2014.
- Notify MAS as soon as possible, not later than one hour, from discovery of a incident.
- Reference to licensed trade repositories, revises clearing house, includes derivatives.
- Sep. 2018, Revisions
- In Sep. 2018, MAS proposed measures to strengthen cyber resilience, see #46783.
||B/D; Bank; IA; Inv Co; OTC; Servicer
||CMG-N02, 3/6/2014, Gd, Pr, 6/21/2013, PR, Gd P012 - 2012, P013 - 2012, 6/13/2012
||Operations; Outsourcing; Privacy; Technology
||Banking; Corporate; Derivatives; Securities
Last substantive update on 10/08/2018