Technology Risk Management

    How frequently should a financial institution conduct vulnerability assessment and penetration testing?

    The frequency for penetration testing should be at least annually on internet facing systems (para. 9.4.4 TRM Guidelines, para. 2(b) Circular No. SRD TR 01/2014). Vulnerability assessments should continuously monitor for emergent security exploits, and perform regular vulnerability assessments of their IT systems against common and emergent threats (para. 2(a) Circular No. SRD TR 01/2014).

    MAS expects all financial institutions to conduct vulnerability assessments and penetration testing (“VAPT”) (para. 9.4 TRM Guidelines). The TRM Guidelines calling for such VAPT are statements of industry best practices which FIs are expected to adopt. Where appropriate, FIs may adapt these guidelines taking into account the diverse activities they engage in and the markets in which they conduct transactions (para 2.0.1 TRM Guidelines).