Upcoming webinar
Briefing on the revised MAS TRM guidelines
Wednesday, 10 February 2021, 9.00am - 10.30am
On 18 January 2021, the Monetary Authority of Singapore (MAS) released the revisions to the technology risk management (TRM) guidelines for Financial Institutions (FIs). Our briefing session will discuss the revisions proposed in the consultation papers on TRM guidelines, and the key considerations for FIs to assess how these proposed revisions impact their people, process, technology, and third parties as well as their ability to adopt them (in part, or in whole).
Register
As organisations embrace new technologies and introduce new ways of doing things, risks and exposure evolve.
On 18 January 2021, the Monetary Authority of Singapore (MAS) released the revisions to the Technology Risk Management (TRM) guidelines for Financial Institutions (FIs). FIs will need to assess how these proposed revisions impact their people, process, technology, and third parties as well as their ability to adopt them (in part, or in whole). Some of the key areas for the organisation to assess are:
- Composition and roles & responsibilities of board and senior management with regards to having necessary skills and understanding of technology risk management and establishing a risk management strategy. Having a robust technology risk management framework including establishing risk appetite and criteria for acceptable level of risk.
- Establishment of cyber threat intelligence, surveillance monitoring and incident response protocols. As well as enhanced operational resilience supported through regular scenario-based exercises and adversarial attack simulation (i.e. red teaming).
- Governance and risk management over third parties from a technology risk perspective.
Advances in technology mean that organisations are increasingly dependent on information to meet the needs of customers. However, the ways of securing and protecting this information have not kept pace or extended to information that third parties may have. The proposed changes address new software development practices such as DevOps and new technologies such as virtualisation, payment technologies and the use of third parties and have far reaching implications. We reviewed the proposed changes and developed a quick guide on how you can start aligning your efforts with the guidelines.
Technology and cyber risk governance
Rethink your role in cyber risk management
Everyone in your organisation plays a critical role in technology risk management. As technology risks evolve, your processes and strategies must adapt to mitigate these risks. Your strategies must be informed through defined and measurable indicators. The quality of technology and cyber risk reporting to the board and senior management becomes key to provide visibility on the effectiveness of your organisation’s technology risk strategy.
With a strong and clear strategy, the board of directors and senior management technology operations, compliance and internal audit must be equipped with the necessary skills to understand and manage technology risks
Agile and DevOps
Integrate effective controls into agile environments
The ability to deliver at the speed of today’s business can make or break an organisation. With the exception of digitally native start-up companies that were “born agile”, most organisations are complex with well-entrenched silos, centralised hierarchies, and reliance on antiquated technology architecture that was established decades ago. The adoption of Agile and DevOps should be considered a major technology transformation. As with all transformations, there are many risks that must be carefully mitigated.
A well-designed workflow and CICD toolchain can help you to roll out changes quickly, but it is also critical to be able to bounce back just as quickly if the roll-outs fail. We can help you with your DevOps governance framework, optimisation and embed good controls and security practices throughout your Agile and DevOps processes and technologies.
Secure by design
Embed security throughout
Software vulnerabilities are typically targeted and exploited by malicious actors to compromise IT systems, and they often occur because of poor software development practices. As Agile and DevOps enable your organisation to deploy more changes to the environment, it is key not to lose sight of security considerations while you increase on the speed to market. Established policies on secure coding, source code review and application security testing can ensure that security standards are applied throughout the development cycle. These security considerations can be embedded in your DevOps toolchain and processes (“DevSecOps”).
One of the key foundations of your systems is your network infrastructure. A well-designed network can keep your organisation connected, and provide you with the ability to segregate the network based on the nature of your business and sensitivity of the data. We can help you with security assessments of your systems and network architecture to make sure security considerations are embedded in the foundation.
Cloud and virtualisation
Navigate your cloud journey with trust
The cloud is becoming the core paradigm for delivering business technology, with an aspirational promise of “zero infrastructure — anything-as-a-service.” To deliver on this promise, technology operating models will need to evolve and grow a new set of cloud-centric capabilities that are very different from the old ways of IT:
A new, consultative approach to cloud demand and business relationship management
A retooled architecture, engineering, and operations capability, embracing such concepts as cloud orchestration tool sets, continuous
integration and deployment, and development operations (DevOps)
Strong controls for cloud consumption, performance, and vendor/partner management
The ability to create, destroy and clone environments opens new risks to your organisation and data. Organisations must be ready to manage the virtual environments, and maintain technology integrity with effective risk and controls. The implications of data residency may become a compliance issue especially if information is stored in the cloud.
Third party trust
Know your third parties
It is important to understand the flow of your organisation’s information, particularly where third party service providers are involved. The ownership of an organisation’s information does not stop at the organisation’s physical boundary. You need to make sure your partners are following appropriate procedures. This is vital and will enable you to avoid risks and reputation damage. The responsibility of managing the risk of your third party relationships falls on you, so to protect your business from issues associated with profitability, reputation, regulation and even litigation, it is important to establish processes that will allow you to oversee these issues.
Regulators have stepped up their standards regarding how companies protect themselves against third party issues, so this area is an increasingly important part of your risk management plan.
Threat intelligence, hunting and red teaming
Build your next generation cybersecurity defense
For many organisations, security can feel like a game that is almost impossible to win. The rules have changed and opponents are patient, well-funded and increasingly sophisticated in the tools and techniques they have at their disposal. Working with a dedicated threat intelligence partner that develops its own threat intelligence gleaned from first-hand open, closed and proprietary sources will enable you to make informed risk-based decisions and allow you to develop and design appropriate mitigations for new threats.
Cyber criminals continue to infiltrate organisations’ networks undetected and gain unauthorised access to critical data. Advanced attackers can remain on their systems for years without ever being detected. Organisations need to conduct regular cyber threat hunting activities to look proactively for and identify any threats in their IT estate and respond quickly and appropriately before they damage their business
Conducting threat intelligence based Red Teaming exercise using real-world scenarios tailored to your organisation allow you to improve your organisation’s cyber resilient, demonstrate an organisation’s cyber defence capability to the board, help to measure their maturity and stay ahead of the evolving threat landscape.
Security operations and incident response
Transform your security operational capabilities
The ever increasing complexity of cyber-attacks, the changing requirements for enterprise security and risk management coupled with technology advancements, have triggered a paradigm shift in the design and ongoing administration of a security operations centre. It is imperative of the financial industry to:
Reduce enterprise risk and protect the business
Move from reactive response to proactive detection and mitigation
Increase visibility over their environment
Meet compliance/regulatory requirements set forth by various agencies
Security operations centre must be responsive to the evolving threats and provide management the information and control that it needs. We can help your Security Operations and Security Operations Centre on the following:
SOC Workshop
SOC Maturity Assessment Workshop
SOC Strategy & Program Mobilisation
Use Case Assessment
Use Case Strategy & Use Case Framework
SOC Compliance
How we can help
Cyber security incidents are firmly on the agenda, not just for boards, but for regulators, customers, and investors too. With the scale and sophistication of cyber incidents increasingly every year, organisations need to be prepared for the inevitable, with confidence in their ability to manage the risks they face.
When a cyber incident impacts your business, you need immediate access to highly experienced experts that can rapidly and effectively investigate, contain and remediate the threats, as well as continue to help you with the full range of business issues that you may need to address.
Work with you to identify key areas of concern and carry out targeted reviews for e.g. DevOps etc.
Improve your processes on security monitoring and optimise your SOC function.
Conduct cybersecurity trainings and exercises such as Game of ThreatsTM and red teaming.
- Embed security by design in your implementation and their alignment to your organisation’s strategy.
- Evolve your current capabilities to fit security and controls of your cloud
- Manage the risks at your external partners
- Improve your organisation’s risk posture.
- Enhance your business continuity capabilities to be cyber resilient.
