The Monetary Authority of Singapore (MAS) has to date issued several guidelines and notices. One of the latest guidelines and notices relate to technology risk management. These Guidelines (Technology Risk Management Guidelines 2013) and Notices (Notice on Technology Risk Management 2013) are aimed at protecting the IT systems of financial institutions from increasing risks of cyber attacks. It is worth noting that these recent guidelines and notices do not replace the Outsourcing Guidelines. Neither do they replace the BCM (Business Continuity Management) Guidelines. All IT systems contract extensions and renewals should take into account these MAS guidelines and notices.
Importantly, the various Notices on Technology Risk Management 2013 take effect on 1 July 2014. By this deadline, financial institutions are required to roll out measures to comply with a set of legal requirements to safeguard critical systems.

A “critical system” is a system, the failure of which will “cause significant disruption to the operations” or “materially impact” services to customers, such as a system which processes transactions that are time critical or provides essential services to customers. Among other things, financial institutions are to put in place frameworks and processes to identify critical systems and take reasonable efforts to maintain high availability of critical systems. Financial institutions are also required to establish a recovery time objective of not more than 4 hours for critical systems and notify and subsequently report to MAS discoveries of relevant incidents. Financial institutions are to notify MAS within 1 hour upon the discovery of a relevant IT incident, which has a severe and widespread impact on the financial institution’s operations, or materially impacts the financial institution’s service to its customers. Financial institutions are required to submit a root cause and impact analysis report to MAS within a specified period of time.

From a contractual perspective, above requirements directly impact on the kind of service levels agreement financial institutions must enter into with their suppliers in respect of critical systems. There is a deadline of 1 July 2014 to observe. The impact of these requirements is widespread as the definition of financial institutions is wide. Financial institutions refers to any persons licenced, approved, registered or regulated by MAS under any written law, which includes, banks, finance companies, money-changers and remitters, insurers and insurance intermediaries, financial advisers, approved holding companies, securities and futures exchanges, market operators, trade repositories, clearing houses and holders of capital markets services licence, trustees of a collective investment scheme, trustee managers of a business trust and trust companies, and holders of a stored value facility.

For further information, please contact:

Chia Ling Koh, Partner, ATMD Bird & Bird 

[email protected]