Monetary Authority of Singapore Issues Revised Technology Risk Management Guidelines

The Monetary Authority of Singapore (MAS) released revised Technology Risk Management (TRM) Guidelines on 30 January 2024. The update reflects heightened expectations for third-party oversight, cyber resilience, incident reporting, and board accountability across banks, insurers, and capital market intermediaries. MAS’s guidelines, while non-legally binding, are a key reference for supervisory assessments and often form the basis for regulatory actions. Financial institutions (FIs) must now show more rigorous governance, testing, and documentation of technology controls.

Board and senior management accountability

The revised TRM Guidelines state that boards remain ultimately responsible for technology and cyber risk management. They must approve technology strategies, risk appetite statements, and major investments, receiving regular reports on emerging threats, control effectiveness, and incident metrics. Senior management must ensure policies are implemented, resources allocated, and remediation tracked. MAS emphasizes the need for independent challenge, recommending that boards include members with relevant technology expertise or provide targeted training.

Technology and cyber risk frameworks

FIs will maintain full risk frameworks covering identification, assessment, mitigation, monitoring, and reporting of technology risks. The guidelines call for asset inventories, data classification schemes, risk assessments for new initiatives, and integration with enterprise risk management. MAS highlights the importance of threat-informed risk assessments, urging institutions to incorporate intelligence from the Cyber Security Agency of Singapore (CSA), Financial Services Information Sharing and Analysis Center (FS-ISAC), and other sources. Control environments should align with recognized standards such as ISO/IEC 27001 and NIST SP 800-53.

Third-party risk management

The update expands expectations for outsourcing and vendor governance. FIs must perform due diligence covering financial stability, cyber controls, incident history, and concentration risks. Contracts should include service-level agreements, audit rights, security requirements, incident notification obligations, and exit strategies.

MAS calls for ongoing monitoring through periodic assessments, attestation reviews (for example, SOC 2), and threat intelligence sharing. For cloud service providers, FIs should evaluate data residency, encryption, access management, and resilience capabilities, ensuring compliance with MAS notices such as 644 (Outsourcing). Boards should be informed of critical outsourcing arrangements and mitigation plans.

Operational resilience and testing

The guidelines emphasize resilience through scenario-based testing, including cyber range exercises, red-teaming, and tabletop simulations. MAS expects FIs to validate recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical systems, considering extreme but plausible scenarios. Testing programs should include the MAS-TRM Penetration Testing Guidelines (PT Guidelines), with red-team exercises aligned to the Adversarial Attack Simulation Exercises (AASE) framework for systemically important institutions. Institutions must document test results, lessons learned, and remediation timelines.

Incident response and reporting

MAS reiterates that FIs must maintain detailed incident response plans covering detection, containment, eradication, recovery, and post-incident analysis. Plans should align with MAS Notice 644 reporting timelines, which require significant incidents to be reported within one hour of detection. The updated guidelines encourage the establishment of security operations centers (SOCs) with continuous monitoring, security orchestration and automation, and integration with threat intelligence feeds. Post-incident reviews must identify root causes, evaluate control gaps, and track remediation to closure.

Data governance and privacy

FIs must implement data protection controls, including data classification, encryption, access management, and monitoring. MAS emphasizes safeguarding customer data, particularly when processed offshore or by third parties. Institutions should adopt data loss prevention technologies, monitor privileged access, and stay compliant with the Personal Data Protection Act (PDPA). Data lifecycle management must include secure disposal and retention policies aligned with regulatory requirements.

Application security and software supply chain

The guidelines require secure software development lifecycle (SSDLC) practices, including code reviews, static and dynamic testing, dependency scanning, and segregation of development, testing, and production environments. MAS encourages adoption of DevSecOps with automated security checks integrated into pipelines. Institutions should maintain inventories of open-source and third-party components, monitor vulnerability disclosures, and implement patch management processes that prioritize critical updates.

Technology operations and infrastructure

MAS calls for strong change management, configuration management, and patching processes. Infrastructure must include redundancy, capacity planning, and monitoring for early detection of anomalies. For emerging technologies such as containerisation and microservices, institutions should ensure isolation between environments, secure orchestration platforms, and full logging. MAS also stresses the importance of endpoint protection, network segmentation, and secure remote access.

How to implement this

FIs should launch a TRM refresh program covering governance, risk, compliance, operations, and technology teams. Phase 1: perform a gap analysis against the revised guidelines, prioritizing high-risk areas such as third-party oversight, incident reporting, and resilience testing. Phase 2: implement remediation projects—e.g., updating outsourcing policies, enhancing SOC capabilities, expanding red-team exercises, and upgrading data governance tooling. Phase 3: embed continuous improvement by integrating TRM metrics into board dashboards, scheduling regular independent reviews, and ensuring lessons learned from incidents inform future investments.

Metrics and assurance

Boards should receive metrics on patching timelines, penetration test remediation, third-party assessment completion, incident response performance, and adherence to RTOs/RPOs. Internal audit should assess TRM governance, testing coverage, and third-party management, issuing recommendations where control effectiveness is weak. Institutions may commission external assurance (for example, ISO certification, independent cyber maturity assessments) to show compliance to MAS and teams.

Regional and global alignment

Many Singapore FIs operate across multiple jurisdictions. Governance teams must align the TRM Guidelines with regulations such as the Hong Kong Monetary Authority’s TM-E-1, Australia’s CPS 234, and the European Union’s Digital Operational Resilience Act (DORA). Establishing a global technology risk committee helps harmonize policies, avoid duplication, and maintain a consistent risk appetite. Where overseas regulations conflict, boards should document the rationale for chosen controls and ensure MAS is informed of constraints.

Adhering to the revised TRM Guidelines will require disciplined governance, investment in talent and tooling, and clear documentation. Institutions that act swiftly to strengthen third-party oversight, resilience testing, and incident management will be better placed to satisfy MAS expectations, protect customers, and maintain trust in Singapore’s financial system.

People and capability development

MAS highlights the importance of skilled personnel to operate complex technology environments. Institutions should invest in continuous training for security engineers, developers, and risk managers, track certifications, and establish succession plans for key roles such as Chief Information Security Officer and Head of Technology Risk. Partnerships with industry bodies, participation in CSA exercises, and cross-border secondments can help maintain a resilient talent pipeline. Boards should review workforce metrics to ensure staffing keeps pace with digital transformation.

Architecture considerations

Infrastructure architects and platform teams should evaluate the architectural implications of this development:

• Integration patterns: Assess how this component integrates with existing infrastructure services and data flows. Identify required API changes, protocol updates, or middleware modifications.
• Scalability impact: Evaluate whether this change affects horizontal or vertical scalability characteristics. Plan for capacity adjustments and update auto-scaling policies as needed.
• High availability: Review redundancy and failover configurations to ensure continued resilience. Update health check mechanisms and failover procedures to reflect new deployment characteristics.
• Data persistence: If applicable, assess data migration, backup compatibility, and storage requirements associated with this change. Validate data integrity across upgrade paths.

Document architectural decisions and update reference architectures to guide future deployments and ensure organizational consistency.

See also

Selected articles on related subjects.

Infrastructure · Credibility 86/100 · September 15, 2022

Blockchain — Ethereum Merge Completion

Ethereum’s Merge on 15 September 2022 transitioned the mainnet from proof-of-work to proof-of-stake, radically reducing energy use and introducing validator, MEV, and compliance obligations for exchanges, custodians, and…

Infrastructure · Credibility 91/100 · October 3, 2025

Infrastructure — ICS security

CISA ICSA-24-003-07 reports unauthenticated network packets can crash Siemens S7-1500 CPUs until a reboot, underscoring the need to patch firmware and segment control networks.

Infrastructure · Credibility 88/100 · January 30, 2024

OSHA Finalizes Walkaround Representative Designation Rule

OSHA’s walkaround final rule, effective March 2024, lets workers designate third-party representatives during inspections, forcing employers to update access controls, training, and documentation before the May 31…

Infrastructure · Credibility 90/100 · January 25, 2024

FCC Advances Implementation of the Resilient Networks Act

The FCC’s January 2024 order implementing the Resilient Networks Act compels wireless carriers to document roaming agreements, expand DIRS participation, and formalize disaster reporting, prompting enterprises to revisit…

Infrastructure · Credibility 88/100 · February 6, 2024

TSMC Announces Second Fab for Japan Advanced Semiconductor Manufacturing

TSMC confirmed a second fab in Kyushu, Japan—part of the global semiconductor reshoring trend. For chip-dependent industries, understanding fab geography matters for supply chain resilience planning.

Continue in the Infrastructure pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Infrastructure Resilience Guide

  Coordinate capacity planning, supply chain, and reliability operations using DOE grid programmes, Uptime Institute benchmarks, and NERC reliability mandates covered here.

• Edge Resilience Infrastructure Guide

  Engineer resilient edge estates using ETSI MEC standards, DOE grid assessments, and GSMA availability benchmarks documented here.

• Infrastructure Sustainability Reporting Guide

  Produce audit-ready infrastructure sustainability disclosures aligned with CSRD, IFRS S2, and sector-specific benchmarks curated here.

Cited sources

1. MAS — Technology Risk Management Guidelines (January 2024) — www.mas.gov.sg
2. MAS Media Release — Revised TRM Guidelines — www.mas.gov.sg
3. ISO/IEC 27017:2015 — Cloud Service Security Controls — International Organization for Standardization