Monetary Authority of Singapore – Technology Risk Management Guidelines – 2021 Legal Update for Financial Institutions

In January 2021, the Monetary Authority of Singapore (MAS) published their Technology Risk Management Guidelines 2021 for adapting to digital transformation while ensuring continued resilience. This document is a summary of the key take away points for financial institutions (FI’s) regarding the latest regulations in Singapore. These guidelines are of particular relevance to CIO’s, CTO’s or head of Information technology as well as chief information security officers or heads of information security with a specific focus on Individual Accountability and Conduct.

FI’s are looking to digital solutions to increase efficiency, meet customer demand and improve the services on offer compared to the market competition. Developments in technology and increased adoption is driving significant changes in the scope, complexity of information technology, its delivery and day to day management. This increases the level of risk and potential exposure to ever more sophisticated cyber threats.

The revised MAS Technology Risk Management Guidelines outline technology risk management principles and best practices for the financial sector:

  1. Establishing Sound and Robust Technology Risk Governance and Oversight;
  2. Maintaining Cyber Resilience

The MAS has recognised that with changing requirements over time and a growing threat landscape, there is a need for better and more frequently reviewed frameworks and policies to standardise the approach to risk and security. This applies to both internal development work as well as third party providers.

These may sound obvious but for clarity, the MAS suggestions, and methodologies to reduce and manage risk include:

  • Maintaining an accurate and complete view of IT environments and ownership of assets;
  • Better managing technology refresh cycles;
  • System Testing and Acceptance;
  • Reporting;
  • DR planning

The MAS also provided practical and specific directives to deliver new services appropriately and to secure existing services by including:

  • Penetration Testing;
  • Vulnerability Assessments;
  • Source Code Reviews and Application Security Testing;
  • Resilience solutions such as Software Escrow and SaaS Escrow

Software Escrow

Section 5.3.4 of the MAS’s Technology Risk Management Guidelines 2021 details:

The FI should assess if a source code escrow agreement should be in place, based on the criticality of the acquired software to the FI’s business, so that the FI can have access to the source code in the event that the vendor is unable to support the FI. Suitable alternatives to replace the software should be identified if an escrow agreement could not be implemented.

The MAS specifically recommending software escrow as an important component of the project management framework, indicates that FI’s must take the inclusion of software escrow seriously as part of their resilience and business continuity plans. Furthermore, inclusion of software escrow protects FI’s while they adopt ever increasing cloud technologies, placing a reliance on third parties to deliver on their desired business aims.

Software escrow and SaaS escrow agreements can support the acquisition of SaaS hosted systems from vendors under the MAS’s suggested frameworks and policies. For example, meeting established “system recoverability time” objectives that may otherwise be unachievable should a cloud service provider becomes bankrupt or insolvent, or no longer be able to support the product/application, or suffer from a ransomware attack.

Software escrow delivers assurance by providing mitigating controls implemented to address the risks before a solution is deployed or to further enhance the robustness of an already deployed solution.

Escrow London have been building bespoke SaaS Continuity Escrow and software escrow solutions for regulated banks and financial institutions in Singapore and around the world to assist with monetary authority regulations.

These SaaS Continuity Escrow solutions typically include:

  • The deposit of the critical software source code and documentation with Escrow London.
  • Escrow London includes automated deposits of code directly from the developer’s git or code repository as standard.
  • Escrow London offers verification services to provide assurance that the deposited code is usable and can be built to a working version of the application.                                                                                   
  • Providing a replicated cloud environment with databases using deployment scripts that may be activated in the event of a release situation.
  • Escrow London will maintain a dedicated beneficiary cloud account in AWS, Microsoft Azure or Google Cloud Platform (GCP). After implementation, the cloud environment will be maintained in a dormant state with a copy of the database updated daily. In the event of a material failure of the SaaS vendor, Escrow London will be in the position to spin up a recovery environment with the most recent deposited database. The new escrow environment may be maintained by Escrow London for an agreed period of time anywhere from 30 days to 1 year. Allowing the financial institution to continue operating and complying with their obligations under SS/21 until a new solution is implemented.
  • The Replicated SaaS Continuity solutions are tested by Escrow London on a quarterly basis to ensure the deposited system is up to date and functioning as expected by the financial institution.
  • Access Credentials with Live Continuity
    • Deposit of access credentials to the production environment usually hosted within AWS, Microsoft Azure or GCP. Escrow London’s team of cloud engineers will become familiar with the production environment through a transfer of knowledge process with the SaaS vendor. In the event of a material failure, Escrow London has the authority to step in, segregate and transfer the beneficiary’s AWS environment to a new AWS account under the ownership of Escrow London or the financial institution. The recovered escrow environment may be maintained by Escrow London for an agreed period of time anywhere from 30 days to 1 year, allowing the financial institution to continue operating and complying with their obligations under SS/21 until a new solution is implemented.
    • The Access Credentials continuity solution is tested on a quarterly basis to ensure the process for migrating the accounts is valid and documented.
  • Vendor Financial Monitoring (VFM)
    • VFM provides an additional layer of assurance to the financial institution that the SaaS vendor is keeping up to date with their payments to the cloud hosting vendor. In the event of payment irregularities, the financial institution will receive a red flag that there may be an issue.
  • Ransomware Recovery
    • With the current boom in ransomware attacks, recovery and backup hidden away from your network are critical to overcoming an attack. The Escrow London Ransomware Recovery Escrow solutions give financial institutions the chance to restore quickly when the worst happens through the following services:
      • Ransomware Recovery Live – dormant copy of the production environment that can be spun up at short notice.
      • Ransomware Database Recovery – daily copy of your database held out of reach from ransomware hackers.
      • Ransomware Source Code & Infrastructure as Code Sync – automated pull of source code and IaaC scripts held outside of your network.

The above Escrow London Software Escrow and SaaS Continuity Escrow solutions meet the stringent standards required to ensure financial institution resilience in the face of continuity challenges such as a material failure of a SaaS vendor.  

Contact Escrow London to learn more about robust Software Escrow, SaaS Continuity and Ransomware Escrow solutions and how they can assist with your business with MAS compliance.