Undoubtedly, many banks will be aware of the Technology Risk Management (TRM) Guidelines issued by the Monetary Authority of Singapore in June 2013.
The TRMs follows a long running series of guidelines formerly know as the Internet Banking and Technology Risk Management Guidelines.
"Against the backdrop of an increased reliance on complex IT systems and operations in the financial sector is the heightened risk of cyberattacks and system disruptions. In this regard, FIs are expected to continue to deepen their technology risk management capabilities and be ready to handle IT security incidents and system failures," said MAS in its press release.
In its latest form, the reference to Internet Banking is removed to signify a wider scope (it is no longer just about Internet banking). In addition, the TRMs now applies to financial institutions, including non-banks which are licensed by the MAS. This means that stock brokers, insurance companies, insurance brokers and payment platforms must now take heed of the TRMs and include consideration of issues such as cloud computing, m-banking, ATM security, data centres, business continuity management (BCM) etc.
More importantly, the TRMs were also accompanied by Notices on Technology Risk Management. These carry the force of law and are not guidelines and therefore, have strict legal consequences.
These notices also carry a specific obligation for financial institutions to enact IT controls to protect customer information from unauthorised access or disclosure. While these are not too different from the obligations imposed under the recently enacted Personal Data Protection Act (PDPA), they are certainly more specific and prescriptive. They also carry stricter consequences. In addition, the notices take effect on 1 July 2014, just one day before the PDPA comes into full force.
CIOs and project managers may need to project manage to ensure that they comply with both the notices and the PDPA concurrently and perhaps think about whether each project can complement the other.