Technology law expert Bryan Tan of Pinsent Masons MPillay, the Singapore joint law venture partner of Pinsent Masons, the law firm behind Out-Law.com, was commenting after the Monetary Authority of Singapore (MAS) applied technology risk management guidelines it revised in 2013, the first time it had applied the guidelines to non-hacking related incidents.
MAS will prevent SGX increasing the fees it charges for trades on its securities and derivatives markets until SGX completes work to improve its "recovery capabilities and processes". This work could cost SIN$20 million ($14.9m), according to a report by the Financial Times. SGX will also make a SIN$1m contribution to MAS' Investor Education Fund.
The regulatory action follows two outage incidents which disrupted trading on SGX markets on 5 November and 3 December 2014.
Tan said: "What we can see here is an application of what standards MAS expects of financial institutions operating technology systems and what standards will be applied should an outage occur on these systems."
Under the guidelines introduced in 2013, banks, insurance companies and credit card providers in Singapore have to notify MAS within an hour of discovering serious IT security incidents or system malfunctions.
Singapore financial institutions are required to establish a framework and process for identifying "critical systems" and "make all reasonable effort to maintain high availability" of those systems. Unscheduled downtime that affects services to customers should not exceed a total of four hours in a year, under the MAS guidelines.
MAS said that it accepts the findings of an SGX inquiry into the November outage, which found that the exchange had taken reasonable steps to ensure its power system was resilient. However, it said, service recovery times need to improve. SGX did not recover some critical systems with the four-hour recovery aim set out in the guidelines, and monitoring systems did not identify problems quickly enough, MAS said.
SGX must therefore strengthen its monitoring system and its business continuity and disaster recovery procedures, and improve crisis communication processes to reach all stakeholders, MAS said. Until this work is verified by an independent expert, and MAS is satisfied with the result, SGX may not increase fees in the securities and derivatives markets, it said.
The December outage was caused by different issues, MAS said. Market opening was delayed due to errors in reports generated by SGX's client accounting system after an upgrade.
MAS said that the time taken to escalate and troubleshoot the errors fell short of expectations, and it told SGX to improve service recovery and how it implements technical changes.
Ong Chong Tee, managing director for financial supervision at MAS, said, "Financial institutions have the responsibility to ensure the resilience of their technological systems. They should effectively manage their technology risks and ensure prompt recovery when incidents arise so as to minimise service disruption to customers. MAS takes a serious view of the incidents and will require SGX to improve its technology risk management."