MAS technology risk and the one-hour clock
Singapore's technology risk regime is among the most prescriptive in the region. The one-hour incident notification is the most visible obligation, but the supervisory expectation behind it is broader.

The Monetary Authority of Singapore sets technology risk expectations through a combination of MAS Notices for each licensee class and the Technology Risk Management Guidelines, last comprehensively revised in January 2021. For banks, MAS Notice 644 requires notification of a relevant incident to MAS as soon as possible and no later than one hour after discovery, followed by a root cause and impact analysis report within 14 days. Equivalent notices apply to insurers, capital markets services holders and payment institutions, with comparable timelines tuned to entity type.
The one-hour clock attracts attention because it leaves no operational slack. To meet it consistently, an institution needs incident classification that can be applied under pressure, a duty roster that includes an authorised notifier on every shift and a notification channel that does not depend on systems that may themselves be impaired. Firms that try to design that capability during an incident discover the gap. Firms that have rehearsed it complete the notification while the technical team is still triaging.
Behind the timelines is the broader supervisory expectation set out in the TRM Guidelines. MAS expects boards and senior management to take direct ownership of technology risk, including third-party and cloud risk, and to ensure that critical systems meet specific availability targets. The Guidelines reference a maximum unscheduled downtime of four hours within any twelve-month period for critical systems, with recovery time objectives consistent with that target. The number is not a hard rule for every entity, but it is a recognisable benchmark in supervisory dialogue.
Outsourcing risk is governed by the Guidelines on Outsourcing, supported by the Business Continuity Management Guidelines revised in June 2022, and increasingly by the Information Paper on Operational Resilience issued in June 2024. The paper formalises the operational resilience direction MAS has signalled for several years. Financial institutions are expected to identify critical business services, set service recovery time objectives that consider customer and system impact, and map the people, processes, technology, information and third parties needed to deliver those services through disruption.
Concentration risk on shared cloud regions is now a routine supervisory question. Singapore hosts a dense set of financial institutions on a small number of hyperscaler regions. A region-level event affects many firms at once, and MAS has been explicit that it expects each institution to have considered the implications, including alternative deployment models, exit and stressed-exit arrangements, and the realism of cross-region failover under stress. Generic provider attestations are not treated as sufficient evidence.
Cyber expectations sit alongside the TRM and outsourcing regime through the Notice on Cyber Hygiene, which sets baseline requirements on multi-factor authentication, patching, malware protection, security log retention and administrative account control. The hygiene baseline is genuinely a baseline. Supervisory engagement after recent regional incidents has focused on whether the broader cyber programme, including third-party access management and detection capability, is consistent with the institution's risk profile rather than only with the minimum standard.
For institutions setting their Singapore agenda for the next year, the practical priorities are consistent. Confirm that incident classification, escalation and notification can survive a real incident at three in the morning. Reconcile critical business services with critical systems so that the operational resilience view and the technology risk view describe the same reality. Re-test cross-region and cross-provider arrangements rather than assuming the documented design still holds. The regime rewards institutions that treat it as a continuous capability and exposes institutions that treat it as periodic compliance.

