[OR] [MAS] [E2] [C6] Technology and Cyber Resilience

eBook 2: Chapter 6

 Monetary Authority of Singapore's (MAS) Regulatory Landscape

Introduction

Technology is the backbone of modern financial services—and increasingly, the primary source of operational risk and disruption. As financial institutions accelerate digital transformation, the ability to withstand and recover from technology failures and cyber threats becomes central to operational resilience.

The Monetary Authority of Singapore (MAS) reinforces this through its:

• Technology Risk Management (TRM) Guidelines
• Operational Resilience guidance

These frameworks require institutions to go beyond traditional IT risk management and build technology and cyber resilience capabilities that ensure the continuity of Critical Business Services (CBS) even during severe disruptions.

This chapter explores:

• Alignment with MAS TRM requirements
• The distinction between cybersecurity and cyber resilience
• Cloud risk and resilience considerations

MAS TRM Alignment

Overview of MAS Technology Risk Management

The MAS TRM Guidelines establish expectations for managing risks arising from the use of technology in financial institutions. These include:

• System availability and resilience
• Cybersecurity controls and defence mechanisms
• IT governance and oversight
• Incident response and recovery capabilities

The TRM framework emphasises that institutions must:

• Ensure high availability of critical systems
• Maintain robust controls against cyber threats
• Implement effective recovery strategies

Integration with Operational Resilience

Operational resilience extends TRM by focusing on service continuity, not just system protection.

TRM ensures systems are secure and stable;

Operational resilience ensures services remain available despite failures.

Key MAS Expectations

MAS expects financial institutions to:

• Identify critical systems supporting CBS
• Ensure resilience of IT infrastructure
• Implement redundancy and failover mechanisms
• Conduct regular testing of recovery capabilities
• Manage technology risks across third-party providers

These expectations directly support the resilience lifecycle of:

• Prevent → Detect → Respond → Recover → Learn

Cyber Resilience vs Cybersecurity

Defining Cybersecurity

Cybersecurity focuses on:

• Protecting systems, networks, and data from unauthorised access or attack

Key objectives:

• Prevent breaches
• Detect threats
• Respond to incidents

Typical controls include:

• Firewalls
• Intrusion detection systems
• Access controls
• Encryption

Defining Cyber Resilience

Cyber resilience goes beyond protection. It focuses on:

The ability to anticipate, withstand, recover from, and adapt to cyber incidents while maintaining critical operations.

Key characteristics:

• Assumes that breaches will occur
• Focuses on minimising impact to CBS
• Emphasises rapid recovery and continuity

Key Differences

Cybersecurity is a subset of cyber resilience.

Link to Operational Resilience

Cyber resilience is a core pillar of operational resilience because:

• Most critical services are technology-dependent
• Cyber incidents can escalate into systemic disruptions
• Recovery speed directly affects impact tolerance compliance

The BCM Institute emphasises that cyber resilience ensures:

• Continuity of CBS despite cyber incidents
• Integration with BCM, crisis management, and incident management

Building Cyber Resilience Capabilities

Prevention and Protection

• Strong cybersecurity controls
• Secure system architecture
• Regular vulnerability assessments

Detection and Response

• Real-time monitoring and threat detection
• Security Operations Centres (SOC)
• Incident response playbooks

Recovery and Continuity

• System redundancy and failover
• Data backup and recovery mechanisms
• Alternate processing arrangements

Adaptation and Improvement

• Post-incident reviews
• Threat intelligence integration
• Continuous enhancement of controls

Cloud Risk and Resilience Considerations

Increasing Reliance on Cloud

Financial institutions increasingly rely on cloud services for:

• Infrastructure (IaaS)
• Platforms (PaaS)
• Software solutions (SaaS)

While cloud adoption offers scalability and efficiency, it introduces new risk dimensions.

Key Cloud Risks

a. Concentration Risk

• Dependence on a small number of cloud providers

b. Loss of Control

• Reduced visibility and control over infrastructure

c. Service Outages

• Cloud provider disruptions affecting multiple institutions

d. Data Security and Sovereignty

• Risks related to data location and protection

MAS Expectations on Cloud Risk

The Monetary Authority of Singapore requires institutions to:

• Perform due diligence on cloud providers
• Ensure robust contractual and service level agreements (SLAs)
• Maintain data protection and confidentiality
• Implement exit strategies and portability plans
• Monitor third-party risks continuously

Cloud Resilience Strategies

To enhance resilience, institutions should:

• Implement multi-region or multi-cloud strategies
• Design for failover and redundancy
• Ensure independent backup and recovery capabilities
• Regularly test cloud recovery scenarios

Integration with CBS Mapping

Cloud dependencies must be:

• Identified within CBS mapping
• Assessed for impact on service delivery
• Included in scenario testing and resilience planning

Cloud resilience is not just an IT concern—it is a core operational resilience requirement.

Integration Across the Resilience Lifecycle

Plan Phase

• Identify critical technology assets supporting CBS
• Assess cyber and technology risks

Implement Phase

• Deploy controls and resilience architecture
• Integrate cybersecurity and BCM strategies

Test Phase

• Conduct:
• Cyberattack simulations
• System failure scenarios
• Cloud outage testing

Improve Phase

• Analyse incidents and test results
• Enhance resilience capabilities

Key Challenges

Organisations may face:

• Over-reliance on preventive cybersecurity controls
• Limited visibility into cloud environments
• Complex technology interdependencies
• Difficulty aligning IT and business priorities
• Rapidly evolving cyber threat landscape

Key Success Factors

To build effective technology and cyber resilience:

• Align TRM with operational resilience objectives
• Adopt a service-centric approach to technology risk
• Integrate cyber resilience with BCM and crisis management
• Strengthen third-party and cloud risk management
• Conduct regular, realistic scenario testing

Technology and cyber resilience are indispensable components of operational resilience. While cybersecurity focuses on protecting systems, cyber resilience ensures that critical services continue despite cyber disruptions.

Aligned with the expectations of the Monetary Authority of Singapore and supported by the BCM Institute’s framework, financial institutions must:

• Strengthen technology risk management capabilities
• Build resilience into digital and cloud environments
• Integrate cyber resilience with broader operational resilience strategies

Ultimately, organisations that successfully embed technology and cyber resilience will be better equipped to withstand cyber threats, recover rapidly, and sustain critical business services in an increasingly digital and interconnected world.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.