Tech Risk Management 201307

8/11/2019 Tech Risk Management 201307

1/38

www.pwc.com/sg

July 2013

Issue 1

Global Regulatory

Technology RiskRequirements

MAS Technology

Risk Management

Competitive

Intelligence

Appendix

Case StudyUseful Resources

2 5 27 32

Technology Risk Management

Managingtechnology risk isnow a business

priority


2/38

PwC

GlobalRegulatoryTechnologyRiskRequirements

2


3/38


4/38

PwC

Impact of regulation: Overview

The interplay ofnew technologyrisk regulationwith othermarket changes

is drivingwide-rangingbusinessimpacts

Change-driven business impacts

Strategic ImpactsAttractiveness of markets, business

models and portfolios under new rules Operational effectiveness and cost

management Driven by strategic business choices and

new reporting/transparencyrequirements

Organisation, governance and culture Incentives and governance rules the

subject of more intense regulatory

interest GAAPchanges

RiskMgmt

Tax

TechnologyRisk

FATCA

Accountingpolicies

Capital &liquidity

Riskprocesses

Structuring/levies

Reserving

ExecCompensation

Disclosure Payment

structures Incentives

AML

External

Environment

FS Reg

ulations

Slow growth Depressedyields

4


5/38

PwC

MASTechnologyRiskManagementNotices and

Guidelines

5


6/38

PwC

Technology Risk ManagementNotice and Guidelines

The Notice and Guidelines were issued on 21 June 2013.

Notice will be effective on 1 July 2014.

All 12 notices tied to the Singapore Act and Laws willimpact:

All Financial Institutions (FIs) (See Appendix fordefinitions)

Includes all IT systems

6

Non compliance to the Notice can result in: Financial penalties Reputational damage Revocation of licence to operate in Singapore

The new MAS

Technology RiskManagementGuidelines (TRMG)have beenenhanced to help

financialinstitutionsimprove oversightof technology riskmanagement and

security practices.


7/38

PwC

What are the implications ofthe Notice ?

Perform a Business Impact Analysisto identify Critical Systems

A FI shall put in place a framework andprocess to identify critical systems 1

Test your Disaster Recovery (DR)Plans are robust

Recovery Time Objective (RTO) of 4 hours for critical systems

2Encrypt customer data to protect

A FI shall implement IT controls to protectcustomer information from unauthorisedaccess or disclosure 3

Active: Active infrastructureHigh availability for critical systems 4 hours of unscheduled downtime 4Real time monitoring and reporting

procedures

Inform MAS of major security incidents,systems malfunction within 60 minutesand submit root cause with 14 days 5

7


8/38

With the new

TRM Notice andGuidelines,six groupedareas that

impact yourbusiness wereidentified

1

Notice 2System Availability,Incident and CapacityManagement

4

Development andChange Management

3

OperationalInfrastructureSecurity and AccessManagement

5

Mobile OnlineServices

6Others

8PwC


9/38

The Notice hasclear definitionsand are legallybindingrequirement forFIs

Notice Consultation Paper TRMG 2013

Single NoticeEach type of FI (banks, insurance company, brokers, etc.) isissued one Notice, but the contents is the same.

No Definitions

Redefinition of following terms: Critical system: Failure of which will cause significant

disruption into the operations of the FI or materially impactthe FIs service to its customers

System malfunction: failure of any of the FI's critical systems Relevant incident: System malfunction or IT security

incident, which has a severe and widespread impact on theFI's operations or materially impacts the FI's service to itscustomers

Notification to MASwithin 30 minutes for

all IT SecurityIncidents

Notification: no later than 1 hour upon discovery of a relevantincident. Upon discovery refers to after the FIs have ascertained

the nature and magnitude of an IT incident meets the criteriaset out in the Notice.

Submission of rootcause analysis withinone month

Root cause analysis changed to: submit within 14 days ofdiscovery. Can request for extension.

2 3 41 5 6

9PwC


10/38

Consultation Paper TRMG 2013

Achieve near zero systemdowntime for criticalsystems

Achieve high availability for critical systems.

Public announcement ofmajor incidents should bemade in a timely manner

This requirement was removed. Expectation BCP willaddress this matter.

Conduct quarterly trendanalysis

Removal of quarterly trend analysis.

No RequirementsFI should inform MAS as soon as possible in the event thata critical system has failed over to its disaster recoverysystem.

SystemAvailability,Incident andCapacity

Management

2 3 41 5 6

10PwC


11/38


No requirement toencrypt USB disks.

Encrypt USB disks containing sensitive or confidentialinformation before transporting to off-site for storage. Theencrypting of sensitive information should be performed onall mediums that are transported off-site.

No requirement fortimeframe of review.

Evaluate the recovery plan and incident responseprocedures at least annually.

No detailedrequirements

New requirements: FI to ensure that indicators such as performance,

capacity and utilisation are monitored and reviewed. FI should establish monitoring processes and

implement appropriate thresholds to provide sufficienttime for the FI to plan and determine additionalresources to meet operational and businessrequirements effectively.

SystemAvailability,Incident andCapacity

Management

2 3 41 5 6

11PwC


12/38

Strongauthentication oncustomer andtransactionalprocessing

OperationalInfrastructureSecurity andAccessManagement


Implement 2FA forprivileged users

Implement strong authentication mechanisms forprivileged users.

Quarterly VulnerabilityAssessment requirement

Frequency of vulnerability assessment is removed.Expectation to perform annual penetration test is stillrequired.

2 3 41 5 6

12PwC


13/38

Developmentand Change

Management

Non-productionenvironments canconnect to theinternet


Only allowedproductionenvironment to beconnected to theInternet

Non-production environment is now allowed to connect tothe internet provided a risk assessment has been performedand appropriate controls are in place.

2 3 41 5 6

13PwC


14/38

MobileOnline

Services

Magneticstripes areallowed


Transaction-signing forhigh-risks / high-valuetransactions

Online financial systems servicing institutional investors,can use alternate controls, if assessed to be equivalent orbetter than using token-based mechanisms to authorisetransaction.

Magnetic stripes werenot allowed

If, for interoperability reasons, transactions could only be

effected by using information from the magnetic stripe on acard, the FI should ensure that adequate controls areimplemented to manage these transactions.

2 3 41 5 6

14PwC


15/38

Others

More areas tofocus on


Archival ofcryptographic key

The requirement that cryptographic keys should only beused for a single purpose, and archival of keys has beenremoved. Expectation a Key Management policy shouldcover lifecycle of keys.

Reliability and resiliencyRequirement to implement mirrored / parity redundancyfor RAID (Redundant Array of Independent Disk), as wellas allocation and configuration for hot spares removed.

Requirement for ITAudit to validate andverify issues raised byMAS inspection

Removal of IT audit (IA) requirement. Expectation that ITAudit will review MAS findings.It is good practice for IA to be aware of relevant issues andconsider as part of their risk universe.

2 3 41 5 6

15PwC


16/38


Requirement forclearing browser cacheafter online session didnot exist

Added one pre-caution that FI should advise the customerto adopt "clear browser cache after the online session.Expectation this be part of customer awareness.

Onsite visit to Datacentres, or serviceproviders should be

performed

Removed, good practice would verify data centres andservices providers are compliant to IT Outsourcing

requirements and MAS TRM guidelines.

Verify the authenticityand integrity of themobile apps

Removed; but transaction-signing should be implementedfor authorising transactions.

PIN should be changed

regularly

Added or when there is any suspicion that it has been

compromised or impaired.

2 3 41 5 6

16PwC

Others

More areas tofocus on


17/38

Summary of Gap Analysis between IBTRM(Internet Banking and Technology Risk Management)

and the new TRM Notice and Guidelines

17

Applicable to all financial institutions and include all IT systems (inclusive internet).

64% 19% 17%

New and EnhancedRequirements

No Change inRequirements

Clarifications andStatements Update

PwC


18/38

System Availability and Incident Management Impact and Costs

18PwC

Framework Processes Systems Cost

Define critical systems L

Critical Systems need to have high availability with 4 hours of unscheduled downtime

H

Mechanism to monitor downtime May be M-H

Develop and implement Recovery Plan for CriticalSystems (RTO) of 4 hours. Test & validateannually

H

Develop and implement incident handling process

to achieve 1 hr response upon discovery of relevantincident H

Develop and capacity management process May be M-H

Dependency and complexity in involving 3rdparty service providers

Legend: L Low; M Medium; H- High

Action Required Impact


19/38

TechnologyRiskManagement

Guideline vs.IBTRM v3-Themes

19PwC

1

Technology RiskManagementFramework, Roles ofSenior Mgmt & Board

4

OperationalInfrastructureSecurity Management5

System Availability

and InfrastructureManagement

6

Others

3

Mobile OnlineServices

2

Enhanced DataCentre Requirements


20/38

TechnologyRiskManagementFrameworkand Role of

SeniorManagementand the

Board

20

Key Requirements What you need to consider

Senior management involvementin the IT decision-making process

Implementation of a robust riskmanagement framework

Effective risk register bemaintained and risks to beassessed and treated

Implementation of a employeescreening process and annualsecurity awareness training

How is senior managementinvolved in IT decision makingand risk management?

Is there an effective governance in

place to ensure the board canmake informed decisions?

Is there a formalised IT riskmanagement framework in place?

Do employee screening processesinclude the third parties?

2 3 41 5 6

PwC


21/38

EnhancedData CentreRequirements

21


Data centre security shouldinclude physical: security guards,card access systems, mantraps

and bollards etc.

Define your data centres andclassify the critical systems inscope

The TVRA needs cover allpossible scenarios

A robust Threat and Vulnerability RiskAssessment (TVRA) should be performed oncritical systems and data centres

2 3 41 5 6

PwC


22/38

MobileOnline

Services

22


A security strategy that includedthe MAS requirements

Identification of fraud scenariosand payment card fraud countermeasures on mobile devices

Sensitive data should be encrypted

Customers should be educated onsecurity

Does your current security strategyencompass mobile bankingapplications?

Does current risk assessmentconsider mobile banking fraud,mobile-application?

What is sensitive data? Isinformation other thanauthentication-specific informationencrypted on the local device?

2 3 41 5 6

PwC


23/38

OperationalInfrastructureSecurityManagement

23


Inventory of software andhardware components and end of

support/life (EOS/L) Baseline standards for security

configurations

A robust patch managementprocess

Real-time monitoring of securityevents

Detection of unauthorised changesto critical systems

An asset management databasethat includes critical systems thatcan be monitored

File and system integritymonitoring

How does your current patchmanagement process classifypatches? Do you have a patchmanagement strategy that works?

How are you monitoring yourdatabase configuration changesand privileged access?

2 3 41 5 6

PwC


24/38

SystemAvailabilityand

InfrastructureManagement

24


Redundancies for single points of

failures (Cross-border)

Recovery time objective (RTO) andrecovery point objective (RPO)

Recovery plan and testing

Incident response procedures

Problem management process(root-cause analysis)

Are you looking at an Active/Active, or Active/Passive serviceto meet these guidelines and the

Notice. (n+1)

Have all critical systems andnetwork components (on andoffshore) been included?

Do you have a dedicated CERT anda defined plan for security andmajor incidents?

How and who will manage thepublic announcements anddisclosure?

2 3 41 5 6

PwC


25/38

Others - ITSM(InformationTechnology

ServiceManagement)& Acquisitionand

Developmentof

Information

Systems

25


A robust IT service management

framework should beimplemented

Problem management trendanalysis

A project management frameworkshould be used and established

End user applications should bedeveloped inline with bestpractices

Is there a problem managementprocess in place? Are you usingInformation TechnologyInfrastructure Library (ITIL)?

How and are you reviewingprojects and procurements ofsystems against the needs of thebusiness post implementation?

Is a cost benefit analysis andbusiness case developed for allsystem changes?

Do you know what end usertools/spreadsheets/ macros arecritical to your business? Whatwas the methodology used todevelop these tools?

2 3 41 5 6

PwC


26/38

26

2 3 41 5 6

PwC

Others PaymentCard Security


Sensitive payment card datashould be encrypted

Secure chips should be deployedto store sensitive payment card

FIs should only allow onlinetransaction authorisation

Implementation of FraudDetection Systems (FDS) withbehavioural scoring

Where is your payment card datastored? and is the data encryptedwhen stored and duringprocessing?

Is a FDS in place that usesbehavioural scoring?


27/38

PwC

Competitive

intelligence

Our observationof industrypractices

27


28/38

PwC

What you should consider

ScopeDefine your scope and risk assess your

critical systems

Feasibility

Perform a GAP analysis against the

TRM Notice and Guidelines

Ownership Obtain buy in from key stakeholders

Governance Create a robust governance structurethat can guide the development oforganisation controls

Ensure a robust

Technology

Risk

Managementframework is in

operation to

meet your

complianceresponsibilities

28


29/38

PwC

27%

14%

10%9%

8%

8%

7%

7%

7%

3% 3%

Operational Infrastructure Security ManagementAccess ControlOnline Financial ServicesIT Service ManagementOversight of Technology Risks by Board and Senior ManagementData Centres Protection and ControlsSystems Reliability, Availability, and RecoverabilityManagement of It Outsourcing RisksAcquisition and Development of Information SystemsTechnology Risk Management FrameworkIT Audit

Banking benchmarking of issues

The single most popular issue:

Management of IT OutsourcingRisks, representing 7% of issues

reported

1

2Highest number of issues:

Operational Infrastructure SecurityManagement, representing 27% of

issues reported

12

Reported Issues by Domain

29


30/38

PwC

31%

13%

11%

10%

10%

9%

6%4%

4%1%1%

Operational Infrastructure Security ManagementAcquisition and Development of Information SystemsOnline Financial ServicesIT Service ManagementOversight of Tech Risks by Board and Senior MgmtAccess ControlManagement of It Outsourcing RisksData Centres Protection and ControlsSystems Reliability, Availability, and RecoverabilityIT AuditTechnology Risk Management Framework

Insurance benchmarking of issues

The single most popular issue:

Management of IT OutsourcingRisks, representing 6% of issues

reported

1

2Highest number of issues:

Operational Infrastructure SecurityManagement, representing 31% of

issues reported

1

2

Reported Issues by Domain

30


31/38

PwC

Ac

tivity

PwCs 4-Step MAS TRM Compliance program

12

Gap analysisfollowed by

risk prioritisation

Review existingframework, processes

& systems

ImplementProcesses &

Systems

Set up governancestructure and process

Test effectiveness ofsolutions and controls

Design TRMframework, policies,processes and related

controls

Design governancestructure to address

new requirements

Define and designtechnology solutions

Regular Post-implementation

review

On-going monitoringof risks and

effectiveness ofcontrols

Assess Define

Implementation

& Rollout

Review

& Monitor

Deliverables

Gap Analysisresults

Prioritise theissues

RemediationAction plan

TRM framework,policies, processes& controls

TRM governancestructure

TechnologySolutionSpecification

Rolled outprocesses solutions

Training materialsand proceduredocuments

Pre-implementationtest results

Technology riskreporting andregular test results,e.g. RTO

Compliance reviewreport

31


32/38

PwC

Appendix:

Case Studies

32


33/38

PwC

Case Studies Onshore banking

Assisted all stakeholders tounderstand their information

assets and technology risks. Insights on regulations

helped the bank making cost-effective decisions

Strong focus on adherence tobudgeted spend has beenobserved when definingsystems that require RTO of 4hours

Enabled the bank to reportto MAS that it has completedits first round of assessmentsin a timely manner

Provided an efficientapproach that enables thebank to capture and addressrisks in a uniform manner

The MAS completed its inspectionof Technology and issued a reportcontaining a number of findings.1. Risk Management of process

around critical systems2. Adhering to 4 hours RTO

PwC were engaged tofacilitate the remediationeffort: understanding the current

production environment/architecture for all criticalapplications and the business

lines supported by thoseapplications engaging stakeholders from

business, IT, technology riskand operational risks in riskassessment workshops

identify critical informationand technology assets residingin each application and

analyse possible consequencesthat bank may face

review the design effectivenessof internal controls in place

assess residual risks andfacilitate the discussion withstakeholders on treatmentplans if required

ImpactIssue Action

33


34/38

PwC

Case Studies Offshore banking

The Global bank engaged PwC toperform an assessment to evaluatetheir Global stance on Technologypolices, procedures and controlsadherence to APAC regulators, withover 72 issues for Singapore. To address these , issues, a MAS

program was initiated and PwC

were engaged to facilitate theremediation effort:

understanding the currentprescriptive changes that canprocessed for a quick wins

engaging stakeholders frombusiness, to develop multipleplans to find cost effective

solution to especially withglobal data centres hostingcritical systems for Singapore

The MAS program provides agreat opportunity to make policychanges and innovate with cost

effect solutions already usedelsewhere in the bank: PwC have developed a

framework to adhere to futureregulatory requirements

Developed innovate solutionswith the banks staff to save costand become compliant

ImpactIssue Action

34


35/38

PwC

Appendix:

UsefulResources

35


36/38

PwC

Useful

Resources

The MAS TRM Notice:

http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-

and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=

Useful documents:

Instructions on Incident Notification and Reporting to MAS Incident Report Template FAQs Notice on Technology Risk ManagementGuidelines MAS TRM Guidelines

The documents above can be found by following the link below.http://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspx

36
http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=


37/38

PwC

Definition of Financial Institution

Financial institution has the same meaning as in section 27A(6) of Monetary Authority of Singapore Act(Cap.186).

(a) any bank licensed under the Banking Act (Cap. 19);

(b) any finance company licensed under the Finance Companies Act (Cap. 108);

(c) any person that is approved as a financial institution under section 28; [13/2007 wef 30/06/2007]

(d) any money-changer licensed to conduct money-changing business, or any remitter licensed to conduct remittancebusiness, under the Money-changing and Remittance Businesses Act (Cap. 187);

(e) any insurer registered or regulated under the Insurance Act (Cap. 142);(f) any insurance intermediary registered or regulated under the Insurance Act;

(g) any licensed financial adviser under the Financial Advisers Act (Cap. 110);

(h) any approved holding company, securities exchange, futures exchange, recognised market operator, designatedclearing house or holder of a capital markets services license under the Securities and Futures Act (Cap. 289);

(i) any trustee for a collective investment scheme authorised under section 286 of the Securities and Futures Act, that isapproved under that Act;

(j) any trustee-manager of a business trust that is registered under the Business Trusts Act (Cap. 31A);

(k) any licensed trust company under the Trust Companies Act (Cap. 336);(ka) any holder of a stored value facility under the Payment Systems (Oversight) Act (Cap. 222A); and [42/2007 wef01/11/2007]

(l) any other person licensed, approved, registered or regulated by the Authority under any written law,

but does not include such person or class of persons as the Authority may, by regulations made under this section,prescribe.

37


38/38

This presentation has been prepared for general guidance on matters of interest only, anddoes not constitute professional advice. You should not act upon the information contained in

this publication without obtaining specific professional advice. No representation or warranty

(express or implied) is given as to the accuracy or completeness of the information contained

in this publication, and, to the extent permitted by law, PricewaterhouseCoopers, its members,

employees and agents do not accept or assume any liability, responsibility or duty of care for

any consequences of you or anyone else acting, or refraining to act, in reliance on the

information contained in this publication or for any decision based on it.

2013 PricewaterhouseCoopers Limited. All rights reserved. In this document, PwC refers to

PricewaterhouseCoopers Limited which is a member firm of PricewaterhouseCoopers

International Limited, each member firm of which is a separate legal entity.

Focus on risk, compliance will follow

Contact us

Tan Shong [email protected]+65 6236 3262

Mark [email protected]+65 6236 7388

Manish Chawda [email protected]+65 6236 7447

Documents

Tech Risk Management 201307