The Monetary Authority of Singapore (MAS) - the regulator of one of Asia's leading financial hubs - has released a Consultation Paper on Proposed Amendments to the Technology Risk Management (TRM) Notices applicable to financial institutions in Singapore. The proposed amendments not only introduce several new technical requirements but also reflect a fundamental shift in technology risk management philosophy that deserves close attention from the Vietnamese financial sector. Rather than focusing solely on protecting IT systems from cyberattacks, MAS is moving toward a broader objective of enhancing technology resilience and ensuring the continuous delivery of critical financial services
A Fundamental Shift in Technology Risk Management: From Prevention-Focused Controls to Resilience and Service Continuity
For many years, technology risk management primarily focused on protecting servers, applications, and databases through cybersecurity controls such as firewalls, antivirus software, intrusion detection systems, and Security Operations Centers (SOCs). The primary objective was to prevent cyberattacks and safeguard IT infrastructure from external threats.
However, as technology supply chains become increasingly complex and financial institutions grow more dependent on third-party technologies, including cloud services, APIs, and proprietary software - MAS recognizes that preventing every incident is no longer realistic.
Several major incidents over recent years clearly illustrate this reality:
- The SolarWinds incident (2020) demonstrated how a single software vendor could become an entry point for compromising thousands of organizations worldwide.
- The Log4Shell vulnerability (2021) forced many organizations to spend weeks or even months identifying whether their systems contained the vulnerable Log4j library.
- The MOVEit attack (2023) further highlighted software supply chains as attractive targets for cybercriminals.
- The CrowdStrike software update incident (2024) disrupted the operations of banks, airports, and hospitals globally despite not being a conventional cyberattack.
These incidents raise an important question for regulators:
Should the objective of technology risk management remain focused on preventing cyberattacks, or should it evolve toward ensuring early detection, rapid response, and swift service recovery with minimal disruption when incidents inevitably occur?
Against this backdrop, MAS has proposed amendments to the TRM Notice covering seven key areas:
1. IT asset management
2. IT risk assessment and monitoring
3. Capacity planning and management
4. Change management controls
5. Continuous system and security monitoring
6. Immutable or offline data backup
7. Incident management
In addition to these seven areas, MAS also proposes clarifying how unscheduled downtime should be measured for critical systems. The proposal specifies that partial outages and intermittent disruptions that affect operations or customer services must also be included in total downtime calculations. This significantly raises expectations for banks and financial institutions, particularly when localized failures affect Core Banking platforms or digital payment services.
Although the consultation paper is still under public consultation and has not yet taken legal effect, MAS's approach is broadly aligned with international regulatory developments, including the European Union's Digital Operational Resilience Act (DORA) and operational resilience frameworks adopted by other financial regulators worldwide. As such, the proposal provides valuable insight into the future direction of technology risk management across the region.
Vietnam's Gap Lies Not in Technology, but in Governance
Vietnam has made significant progress in strengthening its legal framework for data governance and information security. The Law on Personal Data Protection 2025, effective from 1 January 2026, establishes comprehensive principles governing the processing of personal data. Meanwhile, the State Bank of Vietnam (SBV) has introduced numerous regulations on information system security, IT risk management, and digital transformation within the banking sector.
However, from an operational resilience perspective, Vietnam's primary challenge is no longer the lack of cybersecurity technology but rather the maturity of its internal risk governance framework.
Many organizations have invested significantly in SOC (Security Operations Center), SIEM (Security Information and Event Management), or EDR (Endpoint Detection & Response) and DLP (Data Loss Prevention) solutions. Yet more fundamental questions remain:
Does the organization have a complete understanding of all IT assets under its management? Are the dependencies between systems, applications, open-source components, and third-party service providers fully documented? Is accountability clearly assigned for each technology risk? Does senior management receive timely and actionable information to support decision-making during technology incidents?
For Vietnamese financial institutions, MAS's proposal serves as an important signal of the regulatory direction that the region is likely to follow over the coming years. Rather than waiting until similar requirements become mandatory, organizations can begin preparing by:
- Maintaining a comprehensive and up-to-date inventory of all services and assets
- Assigning clear risk ownership and strengthen governance practices
- Conducting scenario-based resilience testing
- Integrating incident response management with Cyber insurance
As digital financial ecosystems become increasingly interconnected and complex, cybersecurity will remain the foundation, but operational resilience is emerging as the new benchmark for technology governance.
Reference: Monetary Authority of Singapore (June 2026): Consultation Paper on Proposed Amendments to Notices on Technology Risk Management
Sending data...