Back to Resources
MAS TRM Guidelines Checklist — visual preview
Checklist

MAS TRM Guidelines Checklist

Singapore Financial Institution Technology Risk Mgmt

Overview

The Monetary Authority of Singapore (MAS) Technology Risk Management (TRM) Guidelines provide a comprehensive framework for technology and cybersecurity risk management at financial institutions operating in Singapore. Last significantly updated in January 2021, the guidelines cover governance, software development, IT service management, cybersecurity operations, and emerging technology risks. While technically non-binding, MAS treats them as supervisory expectations, and non-compliance can result in regulatory action during inspections.

Key Domains

DomainFocus Areas
Technology Risk GovernanceBoard oversight, CTO/CISO roles, risk appetite, and IT strategy alignment
Technology Project ManagementSecure SDLC, project risk assessment, and change management
Software Application DevelopmentSource code review, secure coding, testing, and deployment controls
IT Service ManagementIncident management, problem management, capacity planning, and IT asset management
Cybersecurity ManagementThreat monitoring, vulnerability management, penetration testing, and cyber exercises
IT ResilienceBusiness continuity, disaster recovery, system availability, and recovery testing
Access ControlIdentity management, privileged access, multi-factor authentication, and access reviews
Data & Infrastructure SecurityEncryption, network security, endpoint protection, and cloud security
Online Financial ServicesInternet banking security, mobile app security, and customer authentication
IT AuditIndependent audit coverage, risk-based approach, and remediation tracking

Governance Expectations

The Board must approve the technology risk management framework and ensure adequate resources are allocated. A senior management committee must oversee technology risk and cybersecurity. The CISO role must be independent of IT operations with direct reporting to senior management. Financial institutions must maintain a technology risk register that is reviewed quarterly. Risk appetite for technology and cyber risk must be explicitly defined and monitored with measurable thresholds.

Implementation Checklist

  • Establish Board-level technology risk governance with documented risk appetite
  • Appoint a CISO independent of IT operations with direct senior management reporting
  • Implement a comprehensive vulnerability management program with defined patching SLAs
  • Conduct penetration testing at least annually by independent qualified assessors
  • Deploy real-time security monitoring through a SOC capability
  • Implement multi-factor authentication for all critical and internet-facing systems
  • Establish a secure software development lifecycle with mandatory code reviews
  • Conduct cyber attack simulation exercises at least annually
  • Implement robust access control with privileged access management and quarterly access reviews
  • Maintain a tested business continuity and disaster recovery plan with RPO and RTO targets
  • Report material cyber incidents to MAS as soon as possible but within one hour of initial assessment
  • Conduct annual cyber awareness training for all employees and Board members

Cloud and Third-Party Requirements

Financial institutions using cloud services must conduct thorough risk assessments before adoption. MAS expects due diligence on the cloud provider's security controls, data residency, incident response capabilities, and exit planning. All outsourcing arrangements must comply with MAS Outsourcing Guidelines, which require Board approval for material outsourcing, documented SLAs, and the right for MAS to inspect the service provider. Third-party risk assessments must be ongoing rather than just conducted at onboarding.

Incident Notification Requirements

Material cyber incidents must be reported to MAS within one hour. This includes incidents that impact critical systems, result in significant data loss, affect a large number of customers, or attract public attention. MAS also requires notification of IT incidents that cause system outages affecting customer services. A root cause analysis must be submitted within 14 days, and the financial institution must demonstrate corrective actions through verifiable evidence.

Frequently Asked Questions

Are the TRM Guidelines legally binding?
The TRM Guidelines are issued as supervisory expectations under MAS Notice on Technology Risk Management. While not technically regulations, MAS treats non-compliance as a supervisory concern, and non-adherence can result in corrective directions, restrictions on activities, or other regulatory consequences during inspections.
How often does MAS inspect technology risk?
MAS conducts regular on-site inspections and thematic reviews of technology risk management. The frequency depends on the institution's risk profile and systemic importance. Large banks may be inspected annually, while smaller entities may be reviewed every 2-3 years. MAS also conducts targeted thematic inspections on specific topics.
What is the relationship between TRM Guidelines and the Cyber Hygiene Notice?
The MAS Notice on Cyber Hygiene (published 2019) is a legally binding regulation that prescribes minimum baseline cybersecurity practices. The TRM Guidelines are broader supervisory expectations. Together, they form the full set of technology risk and cybersecurity expectations for financial institutions in Singapore.
Do the guidelines apply to fintech companies?
Yes. The TRM Guidelines apply to all MAS-regulated entities including licensed fintech companies, payment institutions, and digital banks. The extent of applicability may vary based on the type of MAS license held, but all regulated fintech entities must address the relevant TRM domains.
What cyber exercises does MAS expect?
MAS expects financial institutions to conduct regular cyber exercises including red team assessments, tabletop exercises, and participation in industry-wide exercises conducted by the Association of Banks in Singapore (ABS). MAS may also direct specific institutions to participate in exercises as part of supervisory activities.

Ready to use this resource?

Download it now or schedule a demo to see how Hunto AI can automate your security workflows.

Book a Demo