2024-05-09

Added

Notice on Technology Risk Management

The Monetary Authority of Singapore issued this notice to impose technology risk management requirements on specified capital markets financial institutions. Regulated entities must establish frameworks to identify critical systems, maintain high availability with a maximum of 4 hours of unscheduled downtime annually, and set recovery time objectives of no more than 4 hours. Additionally, institutions are mandated to notify the Authority within one hour of discovering relevant incidents and submit detailed root cause analysis reports within 14 days.

Monetary Authority of Singapore logo

Singapore

Monetary Authority of Singapore

Click to view thumbnail

MAS Notice No.: FSM-N21 Notice to capital markets financial institutions Financial Services and Markets Act 2022 Issue Date: 09 May 2024 NOTICE ON TECHNOLOGY RISK MANAGEMENT Introduction 1 This Notice is issued pursuant to section 29(1) of the Financial Services and Markets Act 2022 (the “Act”) and applies to all the following financial institutions: (a) approved exchanges under the Securities and Futures Act 2001 (“SFA”); (b) licensed trade repositories under the SFA; (c) approved clearing houses under the SFA; (d) recognised clearing houses under the SFA which are incorporated in Singapore; (e) holders of a capital markets services licence under the SFA; (f) recognised market operators under the SFA which are incorporated in Singapore; (g) trustees for a collective investment scheme authorised under section 286 of the SFA, that are approved under the SFA; (h) authorised benchmark administrators under the SFA; (i) authorised benchmark submitters under the SFA; (j) designated benchmark submitters under the SFA; (k) the Depository as defined in section 81SF of the SFA, (each a “specified financial institution”). Definitions 2 For the purpose of this Notice — “critical system” in relation to a specified financial institution, means a system, the failure of which will cause significant disruption to the operations of the specified financial institution or materially impact the specified financial institution’s service to its customers, such as a system which —

(a) processes transactions that are time critical; or (b) provides essential services to customers; “customer” – (a) in relation to a holder of a capital markets services licence, has the meaning given by paragraph (a)(i) of the definition of “customer” in section 2(1) of the SFA; and (b) in relation to an approved clearing house or a recognised clearing house, has the meaning given by paragraph (b) of the definition of “customer” in section 2(1) of the SFA; “IT security incident” means an event that involves a security breach, such as hacking of, intrusion into, or denial of service attack on, a critical system, or a system which compromises the security, integrity or confidentiality of customer information; “relevant incident” means a system malfunction or IT security incident, which has a severe and widespread impact on the specified financial institution’s operations or materially impacts the specified financial institution’s service to its customers; “system” means any hardware, software, network, or other information technology (“IT”) component which is part of an IT infrastructure; and “system malfunction” means a failure of any of the specified financial institution’s critical systems. 3 Except where defined in this Notice or if the context otherwise requires, the expressions used in this Notice have the same meanings as in the Act. Technology Risk Management 4 A specified financial institution must put in place a framework and process to identify critical systems. 5 A specified financial institution must make all reasonable effort to maintain high availability for critical systems. The specified financial institution must ensure that the maximum unscheduled downtime for each critical system that affects the specified financial institution’s operations or service to its customers does not exceed a total of 4 hours within any period of 12 months.

6 A specified financial institution must establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The specified financial institution must validate and document at least once every 12 months, how it performs its system recovery testing and when the RTO is validated during the system recovery testing. 7 A specified financial institution must notify the Authority as soon as possible, but not later than 1 hour, upon the discovery of a relevant incident, other than a relevant incident arising from the circumstances set out in regulations 8(2)(a) and (b), and 21(d) of the Securities and Futures (Organised Markets) Regulations 2018 (“Markets Regulations”), regulation 9(1) of the Securities and Futures (Trade Repositories) Regulations 2013, regulation 11(1) of the Securities and Futures (Clearing Facilities) Regulations 2013, and regulations 11(1)(e) and 19(2)(b) of the Securities and Futures (Financial Benchmarks) Regulations 2018 (“Financial Benchmarks Regulations”).. 8 A specified financial institution must, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 21(d) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report must contain — (a) an executive summary of the relevant incident; (b) an analysis of the root cause which triggered the relevant incident; (c) a description of the impact of the relevant incident on the specified financial institution’s – i. compliance with laws and regulations applicable to the specified financial institution; ii. operations; and iii. service to its customers; and (d) a description of the remedial measures taken to address the root cause and consequences of the relevant incident. 9 A specified financial institution must implement IT controls to protect customer information from unauthorised access or disclosure.

Effective Date 10 This Notice shall take effect on 10 May 2024.