Technology Risk Management in Singapore


Technology has overhauled the way things were being done and its use in every sector is significant. Modern tools and digital platforms such as artificial intelligence, blockchain and e-commerce have completely transformed the way businesses operate. According to a report by IDC, global spending on digital transformation is forecast to reach USD2.8 trillion in 2025, which is more than twice the amount in 2020. Many organizations understand the importance of digital transformation and its role to capture new growth opportunities while ensuring they remain competitive and minimize disruption to their businesses by technology-enabled competitors.


With the acceleration of digital transformation coupled with the abrupt migration to remote working as a result of the current pandemic, it has opened doors to additional risks. Cyber threats and attacks have increased particularly ransomware and phishing attacks. According to a report from the Cyber Security Agency of Singapore (“CSA”) with regards to the cybersecurity landscape, 2020 saw an increase in cyber threats such as ransomware, phishing attacks and online scams, with cybercrime accounting for 43% of overall crime in Singapore. Out of which, CSA saw a 154% spike in reported ransomware cases and a 94% increase in the number of malicious servers hosted in Singapore.


In December 2020, two major technology providers FireEye and SolarWinds have disclosed that it was hacked by threat actors and they managed to gain unauthorized access to numerous public and private organizations around the world. With cyberattacks getting ever more sophisticated, other major technology players such as Microsoft and Cisco among many others were also found to be compromised by the same threat actors in their attack campaign.


In the wake of these attacks, the Monetary Authority of Singapore (“MAS”) revised its Technology Risk Management Guidelines (“TRM Guidelines”) in January 2021 to keep pace with the current trends in technology deployment and shifts in the cyber threats landscape. The TRM Guidelines are applicable to all financial institutions (“FIs”) as defined under section 27A(6) of the MAS Act which includes banks and fund managers but does not include overseas subsidiaries and branches of the FIs.


The revised TRM Guidelines focuses on the following key areas:


  • Board and senior management

Both the board of directors and senior management should comprise of members with the knowledge to understand and manage technology risks. In addition, a Chief Information Officer or Chief Technology Officer with the relevant expertise and experience, should be appointed to establish, manage and oversee the information technology framework.


  • Management of third parties

The consideration of technology risks involved now extends to not just outsourced service providers engaged by FIs but all providers of services that are delivered using Information Technology (“IT”) or may involve sensitive information being stored or processed electronically by the third party.


  • System and software development

With the rise of FIs developing in-house software that is specific for their business needs, there is an expectation that FIs incorporate secure coding, code review and application security testing around the development process. In addition, there must be adequate security measures coupled with segregation of duties for the software development, testing and release functions in the process.


  • Cyber security

There are new guidelines revolving around undertaking a defense-in-depth approach to strengthen cyber resilience. This includes collecting, processing and analysing cyber-related information for its relevance and potential impact on the FI’s business and IT environment. Additionally, FI’s should also carry out scenario-based cyber exercises and performs an adversarial attack simulation exercise.


With the increasing reliance on the use of technology coupled with more people working remotely than ever before, the importance of having a robust technology risk management infrastructure cannot be undermined. Establishing one is not simple and it is imperative for FIs to plan ahead to ensure they stay compliant and minimize the risks to their business.




Established since 2013, Lymon has been providing regulatory compliance and risk management services to financial institutions and their fund products. To find out more about how we can assist with your regulatory or structuring needs, do reach out to your usual contact at Lymon or our specialist below:


internal audit, compliance consulting, regulatory compliance, internal audit outsourcing, internal audit services

Jovi Gan, Director

+65 6709 4110

jgan@lymon.com.sg





Internal Audit, VCC Singapore