Singapore’s MAS issues new consultation paper on technology risk
Once released, financial institutions will be expected to implement the measures that are relevant to their operating environment.
The framework, outlined in part four of the guideline, says that financial institutions need to establish a risk management framework to manage technology risks in a consistent and systematic manner.
As part of the framework, effective risk management practices and internal controls should be instituted to achieve data confidentiality and integrity, system security and reliability, as well as resilience in its IT operating environment.
MAS’ new guidelines also advise financial institutions to identify a risk owner, accountable for ensuring proper risk treatment measures are implemented and enforced, for each kind of technology risk.
The risk owner may be assumed by a function or group of functions within the institution, who is accountable and given the authority to manage technology risks.
The guidelines advise that organizations pay attention to the following components when formulating their new technology risk management framework:
# 1 | Risk identification
MAS suggests that financial institutions must look out for threats and vulnerabilities that IT environments pose to the organization and the risks they create.
Security threats such as internal sabotage, malware, data theft, and unauthorized financial transactions could have a severe impact on organizations, and hence, the MAS cautions institutions against those as a critical first step.
# 2 | Risk assessment
Following risk identification, MAS advises organizations to perform an analysis and quantify the potential impact and consequences of these risks on the overall business and operations.
To facilitate the prioritization of technology risks, a set of criteria measuring and determining the likelihood and impact of threats and vulnerabilities should be established.
MAS also suggests that institutions take into consideration financial, operational, legal, reputational and regulatory factors in assessing technology risks.
# 3 | Risk treatment
For each type of risk identified, MAS advises that each institution must develop and implement risk mitigation and control strategies that are consistent with the value of the information assets and the level of risk tolerance.
While the MAS provides quite a bit of advice on ensuring that risk is not only mitigated effectively but also that organizations really put in efforts to assess its risk tolerance for damages and losses in the event that a given risk-related event materializes.
# 4 | Risk monitoring, review, and reporting
MAS advises that organizations monitor and review technology risks, which include risks that customers are exposed to, changes in business strategy, systems, environmental or operating conditions.
The regulator also says that institutions must report key risks to the board of directors and senior management to enable them to prepare for eventualities and put safeguards in place to minimize overall damage.