Singapore Moves to Close the Gaps Between Technology Governance & Operational Reality

Key Takeaways

• Resilience Begins With Visibility: MAS is proposing comprehensive IT asset inventory requirements that would force institutions to maintain a clear and current understanding of their technology environments, including third-party and open-source components.
• Technology Risk Management Becomes More Structured: Financial institutions would be required to formalize technology risk assessments, assign ownership of material risks, maintain risk registers, and monitor those risks through defined indicators.
• Change Management Faces Regulatory Pressure: After observing that many significant incidents stemmed from poorly managed system changes, MAS is proposing stricter requirements around risk assessments, testing, authorization controls, and recovery planning.
• Detection Is Receiving Equal Weight to Recovery: The proposed rules place new emphasis on continuous monitoring and rapid response, reflecting a growing regulatory expectation that institutions identify and address issues before they become customer-facing disruptions.
• Outage Metrics Must Reflect Customer Experience: By requiring partial and intermittent disruptions to count toward downtime calculations, MAS is seeking a more realistic measure of system reliability and operational resilience.

Deep Dive

A surprising amount of operational resilience comes down to keeping lists. Not the glamorous kind, or dashboards, AI copilots, or threat intelligence feeds. Just knowing what systems exist, where they are, who owns them, what depends on them, and what happens when they fail.

The consultation, launched Tuesday by the Monetary Authority of Singapore (MAS), is proposing a substantial expansion of its Technology Risk Management Notices. The consultation, open through July 31, touches nearly every stage of the technology lifecycle, from asset inventories and risk assessments to system monitoring, backup strategies, incident response, and outage reporting.

The individual proposals are not particularly radical. Most would be familiar to any technology risk executive. What is notable is how explicitly MAS is moving these practices from guidance and expectation into regulatory obligation.

The regulator's proposal begins with a requirement that financial institutions maintain a comprehensive inventory of their technology assets. Not just servers and software, but cryptographic assets, open-source software, and third-party components as well.

That might sound administrative until something breaks. Over the past several years, some of the most disruptive technology incidents in financial services have become exercises in discovery. Institutions scrambling to identify where a vulnerable software library is deployed. Security teams trying to determine which systems depend on a compromised vendor. Recovery efforts slowed because nobody possesses a complete picture of the environment they are attempting to restore.

MAS appears determined to eliminate that uncertainty.

Risk Registers Become Operational Tools

The consultation also pushes financial institutions toward a more structured approach to technology risk assessment. Under the proposal, firms would be required to assess threats and vulnerabilities associated with their systems, including risks stemming from technology supply chains and the use of artificial intelligence.

Material risks would need to be documented in formal risk registers alongside designated risk owners and mitigation measures. Institutions would also be expected to establish key risk indicators to monitor those risks over time.

There is a subtle but important shift embedded in that requirement. Technology risk registers have often functioned as governance artifacts, like documents produced for committees, regulators, and auditors. MAS is effectively asking institutions to treat them as operational instruments. The emphasis on accountability, monitoring, and measurable indicators suggests a regulator interested not only in whether risks have been identified but whether anyone is actively managing them.

The Change Management Problem

One section of the consultation stands out because it is unusually direct. MAS notes that a significant number of technology incidents within financial institutions have been traced to poor change management. The list of failures will look familiar to anyone who has participated in a post-incident review: inadequate testing, weak understanding of system dependencies, insufficient impact assessments, and ineffective recovery plans.

The observation cuts against a common assumption about operational resilience. Major outages are often discussed as cybersecurity failures. Yet many of the most disruptive incidents begin with an organization changing its own systems, like a software update, configuration adjustment, migration project, or a seemingly routine implementation that behaves differently in production than it did in testing.

MAS is proposing requirements designed to address precisely those failures. Financial institutions would need controls preventing unauthorized changes, formal assessments of implementation risks, testing of changes affecting critical systems, and recovery measures capable of restoring services if implementations go wrong.

Watching Systems Before Customers Notice

The regulator is equally focused on monitoring. According to MAS, several major incidents were characterized not simply by technical failures but by delays in detecting them. Capacity problems, performance degradation, and cybersecurity issues persisted long enough to become customer-facing events before institutions responded.

The proposed amendments would require continuous monitoring of critical systems, supported by defined thresholds, alerting mechanisms, response procedures, and remedial actions.

Resilience is often discussed in terms of recovery. Increasingly, regulators are paying attention to detection. The faster an institution recognizes a problem, the smaller that problem tends to become.

A Regulatory Nod to the Ransomware Era

Perhaps the most contemporary element of the consultation concerns data backups. MAS is proposing that financial institutions maintain immutable or offline backups for data critical to business services. The objective is to ensure organizations can recover if production data is corrupted, encrypted, altered, or otherwise rendered unavailable.

Ten years ago, backup discussions largely revolved around hardware failures and disaster recovery. Today they are inseparable from ransomware preparedness.

The consultation goes a step further by asking whether institutions should be required to maintain backups that are both immutable and offline, rather than allowing either approach independently. It is a question that reflects how quickly expectations around cyber resilience continue to evolve.

Measuring Downtime More Honestly

The final proposal may prove one of the most consequential. Financial institutions operating under the current Notice must ensure unscheduled downtime for critical systems does not exceed four hours within any twelve-month period. MAS says some institutions have interpreted that requirement narrowly, excluding partial or intermittent disruptions from their calculations.

The regulator is proposing to remove any ambiguity. Under the revised Notice, partial and intermittent disruptions would explicitly count toward downtime calculations. That change sounds technical. It is not.

Customers rarely distinguish between a complete outage and a service that functions only intermittently. A banking application that fails every third transaction may still be available in a technical sense, but customers experience it as a disruption. MAS appears intent on ensuring resilience metrics reflect that reality.

The consultation reads less like a collection of new controls than an attempt to close the gap between how technology environments are supposed to operate and how they actually operate under stress. The proposals are filled with inventories, registers, monitoring thresholds, testing requirements, and backup controls. None are particularly exciting on their own.

Then again, neither is resilience. Most of the time, resilience is simply the discipline of knowing what you have, understanding what can fail, and being prepared when it does.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.