Background

On 10 June 2026, MAS issued a Consultation Paper proposing updates to its Notices on Technology Risk Management (“TRMN”). The primary objectives of the proposed enhancements to the TRMN are to reinforce technology resilience, address emerging AI-enabled threats, and eliminate ambiguities in system downtime reporting, against the backdrop of significant IT service disruptions at major banks in Singapore. The Consultation Paper present nine specific policy questions in the following core areas for industry feedback. The impending TRMN enhancements will apply to ALL financial institutions in Singapore.

Key Focus Area

1. IT Asset Inventory Scope
   As static registries fail to track rapid technological changes, MAS emphasizes that a granular asset inventory is foundational for vulnerability patching, cryptographic key oversight, digital certificate lifecycle tracking, and technology obsolescence management. The proposed requirements demand a complete, real-time view of the entire IT operating environment, forcing FIs to record specific metadata capable of identifying vulnerabilities tied to third-party open-source components and broader software supply chain risks.
   
   
2. IT Risk Assessments & Key Risk Indicators
   Recognizing that static risk assessments fail to keep pace with dynamic threat landscapes, MAS is moving the regulatory perimeter toward continuous risk identification. The updated scope mandates that FIs broaden their assessments to include specialized threats introduced by artificial intelligence (“AI”) and software supply chains, while inviting feedback on whether to explicitly specify standardized Key Risk Indicators (“KRIs”) within the Notice for the monitoring of material risks.
   
   
3. Proactive Capacity Planning
   As a high volume of operational degradation incidents stem from FIs failing to anticipate data volume spikes, MAS intends to transition firms from reactive resource allocation to forward-looking scaling models. The proposed requirements mandate that FIs proactively manage resource thresholds to support future business growth, and MAS is seeking explicit feedback on whether a specific regulatory frequency (e.g., quarterly or annually) should be prescribed for these capacity planning reviews.
   
   
4. Continuous Security Surveillance of Critical Systems
   With advanced persistent threats actively bypassing legacy security boundaries, MAS views reactive, perimeter-based logging as insufficient for modern cyber defence. The proposed framework establishes strict mandates for continuous system and security monitoring, requiring FIs to define clear operational indicators, specific threshold boundaries, and automated response and remedial action frameworks to contain anomalies instantly.
   
   
5. Data Backup Architecture & Frequency
   Under Outcome Five of the FDG, FIs are expected to use independent, competent functions to investigate complaints objectively, ensuring that systemic representative misconduct trends are reported immediately to the BSM and resolved through appropriate remediation actions.
   
   
6. Incident Management & Disruption
   FIs have historically omitted micro-outages and rolling degradations from their regulatory reporting, creating an artificial inflation of actual system stability. The revised incident management framework expands the reporting scope by introducing the phrase “partial or intermittent disruption,” seeking feedback on its clarity to ensure FIs consistently incorporate these micro-events when computing their mandatory 4-hour maximum unscheduled critical system downtime allowance within any 12-month period.
   
   
7. Partial and Intermittent Unscheduled Downtime
   MAS proposes explicitly requiring that partial and intermittent disruptions be counted toward unscheduled downtime for critical systems, and seeks feedback on whether this phrasing is clear enough for consistent application, inviting alternative terms or definitions to improve clarity.
   
   
8. Implementation Timelines
   While MAS recognizes the urgency of upgrading systemic cybersecurity across the financial sector, it must balance these mandates against the operational capacity and deployment timelines of financial institutions. The paper seeks industry feedback on whether the transition timeline of 12 months set out in the Notice is sufficient.
   

What’s Next?

FIs should treat the consultation paper as an active indicator of MAS’s upcoming enforcement perimeter. Compliance and IT infrastructure teams should immediately evaluate their capabilities against the MAS Consultation questions, particularly regarding cloud asset metadata tracking, zero-trust network monitoring, and air-gapped immutable storage configurations. The consultation period remains open for industry feedback until 31 July 2026.

How Can We Help?

Capital Governance assists Financial Institutions through:  

1. TRM Analysis & Architecture Audits: Evaluating your current IT asset inventories, capacity management processes, and data backup schemas against to prepare for the finalized Notices.
   
   
   and more …