What are the main regulatory frameworks governing technology risk and cloud adoption in Singapore?
For Financial Institutions (FIs) operating in Singapore, the main regulatory framework is the MAS Technology Risk Management (TRM) Guidelines (revised January 2021). These guidelines set out expectations for technology governance, cyber resilience and risk management.
They require you to establish strong oversight, apply a defense-in-depth strategy, and continuously improve controls to protect the confidentiality, integrity and availability of systems and data.
For cloud outsourcing, reference should be made to the ABS Cloud Computing Implementation Guide 2.0, which provides practical guidance on vendor due diligence, outsourcing governance, and security controls. The guide supports compliance with both the MAS TRM Guidelines and the MAS Outsourcing Guidelines.
A core principle applies at all times: controls implemented in the cloud must be at least equivalent to those used for in-house systems.
How do you classify cloud outsourcing arrangements and why does it matter?
Cloud outsourcing arrangements are classified as Non-Material or Material based on the inherent risk and business impact, as defined in the ABS Cloud Guide.
An arrangement is Material if:
A failure or breach could materially disrupt operations, damage reputation, affect profitability, or impair regulatory compliance.
The arrangement involves customer information where loss, theft, or unauthorized access would materially impact customers.
Examples of Material workloads include:
MAS Critical systems, core banking platforms, financial risk systems, corporate email and document storage, and authentication services such as OTP or two-factor authentication.
This classification determines the level of required controls. Material workloads demand enhanced security, deeper due diligence, and stricter oversight.
What are the responsibilities of the Board and Senior Management?
The MAS TRM Guidelines make technology risk a leadership responsibility.
The Board of Directors approves the risk framework and risk appetite, and ensures an independent audit function is in place.
Senior Management implements the technology risk framework, enforces policies and controls, and reports material incidents or adverse developments to the Board in a timely manner.
Both levels of leadership must maintain sufficient knowledge of technology risk and promote a security-aware culture across staff.
What due diligence and contractual safeguards are required when selecting a Cloud Service Provider?
Before engaging a CSP, you must assess its ability to meet security requirements for the intended workload.
You are expected to:
Evaluate the CSP’s development and security practices
Identify where data is stored and processed
Assess legal, political and operational risk of hosting jurisdictions
Conduct Threat and Vulnerability Risk Assessments (TVRA) on relevant data centers
Review physical and environmental security
Contracts must clearly define accountability.
They must include:
Audit and inspection rights for MAS
Access to relevant investigation information
Contractual control over data deletion and termination
Clear definition of shared responsibility
What does “security-by-design” mean under MAS TRM?
Security-by-design requires you to integrate security into every phase of your SDLC.
This includes defining security requirements during design, involving security teams throughout development, enforcing secure coding practices, and performing security testing using static, dynamic and interactive techniques.
The objective is to reduce vulnerabilities before deployment, not after incidents occur.
What enhanced controls apply to Material workloads?
Material workloads require security measures beyond baseline controls.
You must implement:
MFA for privileged access (PUAM)
Detection of unauthorized account creation
Restricted remote access with private connectivity where feasible
Higher resilience is expected through:
Multi-region architectures for critical systems
Disaster recovery planning for total cloud outages
Annual DR testing covering full-site loss and partial failure scenarios
Consideration of multi-provider or hybrid approaches
If MAS Critical systems are managed by a CSP (e.g. SaaS), contracts must require the provider to notify you immediately in case of an incident, enabling you to notify MAS within 60 minutes.
