On 10 June 2026, the Monetary Authority of Singapore (MAS) published a consultation paper proposing amendments to its Notices on Technology Risk Management. The consultation closes on 31 July 2026. The proposed changes cover IT asset management, IT risk assessment and monitoring, change management controls, continuous system and security monitoring, immutable and offline data backup, and incident management.
For technology companies and IT service providers that supply financial institutions in Singapore, this is not a distant regulatory development. It is a direct signal of where contractual requirements are heading, and it reinforces an existing pattern that has been building since the MAS Technology Risk Management Guidelines became legally binding in May 2024.
What the proposed amendments add
The June 2026 consultation paper proposes to strengthen several areas that the existing MAS Notices already address, but in more specific and enforceable terms.
The immutable and offline data backup requirement is the most operationally significant for technology vendors. It would require financial institutions to maintain backup copies that cannot be altered or deleted, stored separately from the primary systems and networks. For any IT vendor or managed service provider whose services touch a client's data backup infrastructure, this creates a clear technical and contractual obligation that will flow downstream into vendor agreements.
The continuous system and security monitoring requirement moves security monitoring from a periodic activity to an ongoing one. Financial institutions will need to demonstrate that their systems, and the systems of the vendors they rely on, are being monitored in real time for anomalies. Vendors who cannot evidence this capability will face harder conversations at the procurement stage.
The incident management provisions tighten the requirements around notification timelines and response procedures. Where a vendor's system or service contributes to an incident at a financial institution client, the vendor's own incident response capability becomes part of the client's regulatory posture. That connection between the vendor's response capability and the client's regulatory compliance is what makes technology liability insurance directly relevant to this framework.
Why technology vendors are affected, not just financial institutions
The MAS Notices apply directly to licensed financial institutions: banks, insurers, capital markets entities, and payment service providers. They do not apply to technology vendors directly.
But that distinction matters less in practice than it appears on paper. When MAS requires a financial institution to manage the technology risks posed by its third-party vendors, the financial institution passes that obligation downstream through contracts. The insurance requirements, audit rights, security obligations, and incident notification timelines that MAS expects the financial institution to have in place become the contractual terms the financial institution applies to its vendors.
MAS's March 2026 consultation on Third-Party Risk Management Guidelines, which proposed extending outsourcing requirements to all third-party arrangements and not just formal outsourcing contracts, widened that perimeter further. Any Singapore technology company providing services to a financial institution is now operating in an environment where the client's regulatory obligations shape the contractual terms the vendor must meet, including the insurance requirements.
What this means for technology PI and cyber cover
Two insurance products sit at the centre of these requirements.
Technology professional indemnity insurance covers claims made against a technology company for errors or failures in the services or systems it delivered. If a vendor's software defect, configuration error, or failure to deliver to specification causes a financial institution client to suffer a loss or a regulatory consequence, the claim comes to the vendor. Technology PI is what responds. The distinction between technology PI and standard professional indemnity is that technology PI is written to cover software products and system deliverables, not just professional advice. A standard PI policy arranged before a company moved into system delivery or managed services may contain exclusions that leave this exposure uncovered.
Cyber insurance covers the costs the vendor itself incurs following a security incident: forensic investigation, incident response, business interruption, and regulatory notification under the Personal Data Protection Act (PDPA). It also covers third-party liability for data breaches affecting client data held by the vendor. For a managed service provider whose systems hold client data or whose access credentials could be used to reach client infrastructure, this is not a theoretical risk.
The interaction between the two matters. A security incident at a vendor that results in downtime or data exposure for a financial institution client can simultaneously trigger a technology PI claim (the client's loss from the vendor's failure) and a cyber claim (the vendor's own incident response costs). If the two policies are not placed with awareness of each other, exclusions can leave the vendor exposed at exactly the point where both covers are needed.
We covered the mechanics of how technology PI and cyber work together in our posts on Technology Liability Insurance in Singapore and Professional Indemnity, Cyber and Liability Insurance for Professional Services Firms.
The contract requirements question
For a Singapore technology company currently in procurement discussions with a financial institution, the practical question is whether the current PI and cyber policies satisfy what the client's contract requires.
Four areas are worth confirming before the contract is signed.
Does the technology PI policy wording extend to the actual deliverables, including software, system integrations, and managed services, or does it cover only professional advice? A policy that covers advice but excludes system products does not satisfy a contract requirement for technology errors and omissions cover.
What is the retroactive date on the technology PI policy? Claims-made policies respond only to claims arising from work done after the retroactive date. A retroactive date set to the current policy's inception date leaves all prior work uncovered.
Does the cyber policy cover the specific scenario of a vendor breach affecting client data? Some cyber policies have exclusions for liability arising from client data held in a vendor's environment. Confirming the scope of third-party liability cover against the specific data arrangements in the contract matters.
What is the indemnity limit on both policies, and does it meet the minimum specified in the contract? Financial institutions routinely specify minimum limits of S$1 million to S$5 million for technology vendors, depending on the nature and criticality of the engagement. A policy arranged at a lower limit creates a contractual gap even where the cover type is correct.
You can read more about our professional indemnity cover and cyber insurance on the products page. If you are a technology company responding to a financial institution's insurance requirements, or reviewing your current cover against the direction of MAS's proposed TRM amendments, we would be glad to work through it with you.
This article provides general information only. It is not insurance advice. Policy availability, terms, conditions, and exclusions vary by insurer and product, and cover is subject to the full policy wording. Please contact TZY CO for advice on your specific situation.