Monetary Authority of Singapore Issues Revised Technology Risk Management Guidelines

Executive briefing: On January 30, 2024 the Monetary Authority of Singapore (MAS) released revised Technology Risk Management (TRM) Guidelines. The updates strengthen requirements for third-party risk management, cyber resilience testing, data centre governance, and incident reporting for banks, insurers, and capital markets intermediaries operating in Singapore.

Key compliance signals

• Third-party controls. Financial institutions must enhance oversight of outsourced service providers, including data centre operators and cloud services.
• Resilience testing. MAS now expects regular scenario-based exercises, cyber range testing, and validation of recovery time objectives for critical systems.
• Data governance. The guidelines emphasise data classification, access controls, and monitoring across production and recovery sites.

Control alignment

• Vendor governance. Update outsourcing frameworks to meet MAS documentation, audit, and notification expectations.
• Business continuity. Align disaster recovery drills and reporting with the enhanced TRM resilience criteria.
• Board oversight. Ensure boards receive regular updates on technology risk posture and compliance attestations.

Action checklist

• Conduct a gap assessment against the revised TRM controls for infrastructure and application domains.
• Engage critical third parties to confirm they can provide evidence required under the updated guidelines.
• Refresh incident response plans to incorporate MAS reporting timelines and escalation criteria.

Sources

• MAS — Technology Risk Management Guidelines (January 2024)
• MAS Media Release — Revised TRM Guidelines

Zeph Tech aligns Singapore-regulated institutions with MAS’s strengthened TRM expectations across data centre and vendor governance.