Business Continuity Planning (BCP)

[Audio] Business Continuity Planning (BCP). Business Continuity Planning (BCP).

[Audio] Learning Objectives At the end of this training, you would gain an understanding on: What is Business Continuity Planning (BCP)? Key Components of a BCP Framework Essentials for Fintech Companies in Singapore BCP Template Structure Future Development Case Studies.

[Audio] What is Business Continuity Planning (BCP)? “BCP is a Company's Emergency Playbook” BCP is a proactive framework that ensures continued delivery of products/ services, revenue streams and regulatory integrity after disruptive events such as cyberattacks, power/ system failures, natural disasters or geopolitical events. It involves identifying essential/ critical functions, assessing risks and designing strategies to minimise downtime. Unlike Disaster Recovery Planning (DRP) that covers only technical functions, BCP’s scope is more holistic, encompassing people, processes, tech and compliance. The goals of BCP are to minimise downtime, protect reputation and safeguard stakeholders’ interests while enabling swift recovery aligned with business and regulatory requirements..

[Audio] Beyond operational resilience, BCP safeguards regulatory compliance and customer trust. A robust BCP can mitigate financial or reputational fallout. BCP can transform risk management into strategic advantage. By embedding practices like automated failover, vendor redundancy and crisis simulations, a company can demonstrate reliability to partners and investors. In Singapore’s competitive financial ecosystem, a tested BCP is less about survival and more about sustaining growth amid uncertainty..

[Audio] Key Components of BCP Governance, Policy Framework & Accountability Risk Assessment Recovery Objectives & Strategies Dependency Mapping & Risk Mitigation Testing & Continuous Improvement Incident & Crisis Management Audit & Compliance Business Impact Analysis (BIA).

[Audio] 1. Governance, Policy Framework & Accountability Board and Senior Management must ensure leadership and accountability in BCP, integrating it into a company’s risk management and to allocate adequate resources for implementation. Defined roles and personnel (e.g. Crisis Lead, Head of IT recovery). Adopt a risk-based approach and integrating into the enterprise risk management. Issuance of a board-approved risk appetite statement and ensure policy framework encompasses processes, systems, people, vendors, and facilities. Document and regularly update policies to ensure compliance with regulatory requirements (e.g. ≤4-hour Recovery Time Objective (RTO) for critical systems, report severe incidents within 1-hour, etc.)..

[Audio] 2. Risk Assessment Risk identification, assessment and treatment should be carried out. Tools such as Risk Matrix/ Heat Map, Fault Tree Analysis, Threat, Vulnerability & Risk Assessment and Risk Registers can be used. Singapore-specific risks may include subsea cable disruptions and ASEAN supply chain risks. Fintech-specific risks may include cyberattacks, cloud outages, fraud, vendor failures and data centre downtime. A Financial Institution (FI) or Fintech company should also identify the threats and vulnerabilities applicable to its IT environment, including information assets that are maintained or supported by third party service providers. A set of criteria measuring and determining the likelihood and impact of the risk scenarios should be established..

[Audio] 3. Business Impact Analysis (BIA) BIA is the foundation of a BCP. It helps a company to understand the effects of a disruption on business operations and prioritise recovery efforts. It is used to identify critical business functions, systems and processes. Examples of critical functions/ business services include payment processing, API uptime, fraud monitoring, etc. Evaluating / estimating the potential impact of disruptions to these functions and helps to determine the necessary resources for recovery. Establishing Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPO) for each critical functions/ business services to address maximum tolerable downtime. It is important to have a prioritised list of functions and services that need to be restored first in the event of a disruption..

[Audio] Examples of Critical Functions/ Business Services Types of Business Services Examples of Business Services Banking Cash transactions Lending Deposit-taking Treasury Private banking and wealth management Investment banking or corporate finance Trade services Insurance Claims servicing (including surrender) Policy renewal and servicing Policy inception Financial Market Infrastructures Derivatives trading, clearing, settlement and reporting Securities trading, clearing, settlement and depository Administering of benchmarks Payments clearing and settlement Broking and Custody Trading, clearing, settlement and custody Asset Management Portfolio management and trading Trade settlement and operations Trustee services, including fund admin and valuation Processing of subscriptions and redemptions in fund units (transfer agency) Payment Services Cross-border and domestic funds transfer Credit/debit card payments E-wallet payments/ prepaid card payments.

[Audio] 4. Recovery Objectives & Strategies Recovery Time Objective (RTO)/ Service RTO (SRTO) refers to the target recovery times for each function/ service (downtime tolerance). If RTO is 1 hour for a system, it must be restored within 1 hour of a failure. It is also important to ensure underlying functions and dependencies are aligned with the RTO. Recovery Point Objective (RPO) is the maximum acceptable amount of data loss an organisation can tolerate after a disruption. RPO is also measured in time value, i.e. If RPO is 15 minutes, your systems must be backed up at least every 15 minutes to ensure you do not lose more than 15 minutes worth of data during a failure..

[Audio] For Recovery Strategies, a company can implement measures like backups in alternate sites. Such as having Hot Site (Fully equipped real-time backup facility), Warm Site (Pre-prepared backup location with partial infrastructure) and Cold Site (with basic infrastructure only). Data Replication with cross-border support for data recovery, involving real-time or scheduled syncing of data across multiple locations. Engage Disaster Recovery as a Service (DRaaS) solution or High Availability (HA) clustering for system recovery. Manual workaround and cross-training for process recovery..

[Audio] 5. Dependency Mapping & Risk Mitigation Dependency mapping is a systematic process to identify and document all internal/ external dependencies (people, system, processes, technology, vendors, data flows, etc.) for critical services. This allows a company to consider implications of their unavailability and address any gaps that could hinder an effectiveness and safe recovery. Examples include the auditing of third-party Service Level Agreements (SLAs) that must align with RTOs. Risk mitigation involves proactive measures to reduce the likelihood and impact of risks. Mitigating concentration risks can be done through split/ backup-team, function segregation, network segmentation, dual sourcing of vendors, multi-cloud/ data centre redundancy, etc..

[Audio] 6. Testing & Continuous Improvement Have regular testing and validate BCPs through scenario-based tests (e.g. alternate site activation, cyber incidents) and lessons learnt. Deployment of tools that facilitate testing and real-time monitoring. Such as the use of AI-simulated scenarios, analytics and digital twins to model impacts and test resilience. Improvements can be done through remediation identified in tests/ audits. Followed by implementation tracking and refinements. Adapt BCP to emerging threats and participate in cross-sector resilience exercises within the industry..

[Audio] 7. Incident & Crisis Management Have a crisis framework that defines roles, communication plans and escalation protocols. Severity assessment to be performed upon incident detection. Followed by Root Cause Analysis and the implementation of remediation. There should be an Incident Response Plan outlining the immediate actions to be taken in response to an incident or crisis. And a Communication Plan that establishes communication protocols for both internal and external parties. Proactive communication/ updates to stakeholders, customers, regulators and staff should be done via suitable channels. They should be informed with expected service restoring time/date and the available alternate mode. Prepare root cause and impact reports..

[Audio] 8. Audit & Compliance Have independent audits and assess BCP effectiveness with findings escalated to senior management. There should also be a regulatory alignment, of which, a company must adapt the guidelines in accordance with their license/ profile and report to the relevant regulators upon request. For example, under MAS Notices, Guidelines and relevant Acts, Fintechs must conduct yearly BCP testings, triennial independent audits, report severe incidents within 1 hour, RTO within 4 hours, notify customers of breaches within 72 hours, etc. Failure to comply could risk license suspension or fines..

[Audio] Essentials for Fintech Companies in Singapore Guidelines on Business Continuity Management (BCM) & Technology Risk Management Guidelines (TRM) MAS Act & Financial Services and Markets Act MAS Notices relating to TRM FSM-N05, FSM-N13 & FSM-N21 Personal Data Protection Act (PDPA) Cybersecurity Act (CSA) MAS Notices on Cyber Hygiene FSM-N06 and FSM-N22 MAS' Framework for Impact and Risk Assessment of Financial Institutions Banking Act, Notice 658 & 1121.

[Audio] In Singapore, MAS recognises that Financial Institutions (FIs) are highly interconnected, severe disruptions may have a broader contagion effect on the financial system. MAS is also concerned with both the soundness of individual FIs and the stability of the financial system. Therefore, MAS has issued a Guidelines on Business Continuity Management (BCM) (last updated Jun 2022) that introduced principles and practices that FIs may implement to strengthen their operational resilience. And Technology Risk Management Guidelines (TRM) (last updated Jan 2021) that sets out technology risk management principles and best practices..

[Audio] Guidelines on Business Continuity Management (BCM) excerpt Financial Institution (FI) should identify its critical business services and functions by considering the impact of their unavailability on the FI’s safety & soundness, the FI’s customers, based on the number and profile of customers affected as well as how they are impacted; and other FIs that depend on the business service. Put in place measures to enable third parties meet SRTOs of critical business services. Mitigate concentration risks through primary-secondary site, segregation, split team/ cross training, cross-border support and having alternative service provider. To audit its overall BCP framework and the BCP of each of its critical business services at least once every three years. Actively monitor, identify threats and to carry out on-going Improvements. Further reading at https://www.mas.gov.sg/regulation/guidelines/guidelines-on-business-continuity-management.

[Audio] Technology Risk Management Guidelines (TRM) excerpt FI should establish a risk management framework to manage technology risks that encompasses: Risk identification: identify threats and vulnerabilities to the FI and information assets. Risk assessment: assess the potential impact and likelihood of threats and vulnerabilities to the FI and information assets. Risk treatment: implement processes and controls to manage technology risks posed to the FI and protect the confidentiality, integrity and availability of information assets. Risk monitoring, review & reporting: monitor and review technology risks, including risks that customers are exposed to, changes in business strategy, IT systems, environmental or operating conditions. And report key risks to the board of directors and senior management. Further reading at https://www.mas.gov.sg/regulation/guidelines/technology-risk-management-guidelines.

[Audio] Notices issued by MAS relating to TRM FSM-N05 applies to all banks in Singapore. FSM-N13 applies to operators and settlement institutions of designated payment systems and holders of payment services licence. FSM-N21 applies to capital markets financial institutions. Must put in place a framework and process to identify critical systems. 1-hour MAS reporting upon the discovery of a relevant incident. Maximum unscheduled downtime for each critical system does not exceed a total of 4 hours within any period of 12 months. Establish a RTO of not more than 4 hours for each critical system. Validate and document at least once every 12 months, how it performs its system recovery testing and when the RTO is validated during the system recovery testing. Submit root cause and impact analysis report within 14 days from the discovery of an incident..

[Audio] Acts and Notices that may be relevant to a Fintech in Singapore Non-compliance of notices, breaches of laws & regulations can result in severe penalties, including fines, sanctions and revocation of a financial institution's operating license in Singapore. Monetary Authority of Singapore Act 1970 An Act that gives MAS the authority to regulate the financial services sector in Singapore. MAS uses this Act to enforce technology risk, AML/CFT and data protection rules. MAS regulates the activities of capital market entities under the Securities and Futures Act (SFA), Trust Companies Act (TCA) or Financial Advisers Act (FAA). Financial Services and Markets Act (FSMA) 2022 An omnibus Act for the sector-wide regulation of financial services and markets, armed with harmonised power to impose requirements on TRM. The maximum penalty for breaches of Regulations and Notices issued under the FSMA is S$1 million. https://www.mas.gov.sg/regulation/acts/mas-act https://www.mas.gov.sg/regulation/acts/financial-services-and-markets-act-2022.

[Audio] MAS Framework for Impact and Risk Assessment of Financial Institutions This document released by MAS shows how they assess the impact and risks of financial institutions using the Comprehensive Risk Assessment Framework and Techniques (CRAFT) risk assessment process. Essentially, MAS would be identifying significant activities, assessing inherent risk & control factors, oversight & governance and capital & support. This framework allows for a risk-based supervision and helps MAS identify and supervise domestic systemically important banks (D-SIBs) and domestic systemically important insurers (D-SIIs) in Singapore. Understanding CRAFT helps key FI stakeholders know MAS supervisory priorities. Website: https://www.mas.gov.sg/publications/monographs-or-information-paper/2007/mas-framework-for-impact-and-risk-assessment-of-financial-institutions.

[Audio] Personal Data Protection Act (PDPA) 2012 PDPA mandates data security and breach response, which directly impacts BCP for financial institutions handling customer data. It mandates that a firm has to implement reasonable security measures to prevent breaches. Non-compliance risks fines and penalties. Personal Data Privacy Commission (PDPC) has to be notified for notifiable breach within 3 calendar days. PDPC has issued: Advisory Guidelines on Key Concepts in the Personal Data Protection Act Guide on Managing and Notifying Data Breaches Under the PDPA Website: https://www.pdpc.gov.sg/guidelines-and-consultation/2020/03/advisory-guidelines-on-key-concepts-in-the-personal-data-protection-act https://www.pdpc.gov.sg/help-and-resources/2021/01/data-breach-management-guide.

[Audio] Cybersecurity Act 2018 & Cyber Security Agency of Singapore (CSA) FinTechs must comply with the Cybersecurity Act especially if they are/ interact with Critical Information Infrastructure (CII). CSA has identified a total of 11 sectors with CII and has provided a Security-by-design framework, checklist and the following Guides: Guide to Conducting Cybersecurity Risk Assessment for CII that provides guidance to CII Owners on how to perform a proper cybersecurity risk assessment. Guidelines for auditing critical information infrastructure sets out the expectations for cybersecurity audits. Guide to cyber threat modelling provides a systematic way for CII Owners to identify threats for cybersecurity risk assessment. Website: https://www.csa.gov.sg/legislation/supplementary-references/.

[Audio] Notices issued by MAS relating to cyber hygiene MAS has issued Notices that set out cyber security requirements on securing administrative accounts, applying security patching, establishing baseline security standards, deploying network security devices, implementing anti-malware measures and strengthening user authentication. FSM-N06 Requirements on cyber hygiene for banks in Singapore. FSM-N22 Requirements on cyber hygiene for capital markets financial institutions. Use of Multi-Factor Authentication (MFA) for critical systems. Timely security patching. Regular vulnerability assessments and penetration testing. https://www.mas.gov.sg/regulation/notices/notice-fsm-n06 https://www.mas.gov.sg/regulation/notices/notice-fsm-n22.

[Audio] Banking Act (BA) 1970 Governs the licensing and regulation of banks, merchant banks and related institutions. MAS has issued Notices that sets out the requirements that a bank in Singapore has to comply with for the purposes of managing the risks associated with the bank’s outsourced relevant services. Notice 658 Management of Outsourced Relevant Services for Banks. Notice 1121 Management of Outsourced Relevant Services for Merchant Banks. Must record in a register, all ongoing outsourced relevant services obtained/ received from a service provider and outsourced relevant services obtained/ received from a service provider, which involves the disclosure of customer information. Website: https://www.mas.gov.sg/regulation/notices/notice-658 https://www.mas.gov.sg/regulation/notices/notice-1121.

[Audio] Sample BCP Template Structure Section 1: Governance Board Approval: Document BCP policy that is signed off by senior management. Roles & Responsibilities: BCM Officer and Incident Response Team (from IT, Compliance, PR). Section 2: Risk Assessment & BIA Critical Functions: List of systems with MAS compliant RTO/RPO: Payment processing (RTO ≤4hrs). Customer data access (RPO ≤15mins). Threat Matrix: Cyberattacks, cloud outages, third-party failures. Section 3: Recovery Strategies IT Redundancy: Primary: AWS Singapore. Backup: Google Cloud Sydney. Data Backups: Encrypted, tested weekly (PDPA compliant). Vendor SLAs: Set a penalty for downtime and a >99.9% uptime..

[Audio] Section 4: Incident Response 1-Hour Reporting Workflow: 1. Detect > 2. Assess > 3. Notify MAS via Electronic Submission System. PDPA Breach Plan: Customer notifications and notify PDPC within 3 calendar days. Section 5: Testing & Maintenance Annual Tests: Tabletop exercises Full scale failover drills. Post Testing Review: Corrective actions within 1 month. Section 6: Regulatory Documentation Audit Trail: Logs of tests, incidents and reports to be retained for 5 years..

[Audio] Future Developments in BCP that are relevant for Fintechs Future developments are likely to be more dynamic and tech-integrated. Further driven by regulatory shifts, technological advancements and emerging risks. Integrated Frameworks Convergence of BCP, cybersecurity and fraud preventions. Use of unified platform to manage risks. Alignments with international standards ISO 22301 is the international standard for Business Continuity Management Systems (BCMS). Digital Operational Resilience Act (DORA) is a European Union regulation..

[Audio] Real-Time & AI-Driven Responses AI-driven disruption prediction and automated detection of disruptions, triggering predefined recovery actions in real-time. Automated failover that allows for automatic switching of network traffic. AI powered Security Information and Event Management (SIEM) tools and autonomous recovery scripts deployment. Greater emphasis on cyber resilience Increased demands on cryptographic security. Protection against quantum era attacks and putting in place quantum-safe encryption strategies ..

[Audio] Case Study - SingHealth Cyberattack (2018) Incident: 1.5 million patients' records including outpatient and prescription data stolen. There was APT (Advanced Persistent Threat) by state-sponsored actors who made initial breach via malware on a front-end workstation. Subsequently, moved to SingHealth’s internal systems and data exfiltrated to external servers. BCP Relevance: Took over 100 days to detect the breach reflecting poor detection and response. Security Information and Event Management (SIEM) alerts were likely ignored or misconfigured or inadequate training of staff. Attackers moved freely between IT systems once inside and there was no segmentation to protect critical databases. Consequences: Attackers could have deleted or encrypted all patient data. PDPC fined IHiS $750,000 and SingHealth $250,000. Lessons: SIEM rules must be validated with red-team exercises. More stringent audits on vendor (IHiS) systems to ensure third-parties must meet same security standards. 2FA authentication for all administrators and proactive threat hunting..

[Audio] Case Study - GrabPay System Outage (2023) Incident: A system glitch made GrabPay services unavailable for hours, affecting payments, top-ups, and transfers. Such incident was due to cloud infrastructure failure at primary service provider with cascading failures in payment processing systems. BCP Relevance: Vendor risk management due to over-reliance on single cloud provider. No strict enough contractual SLA on maximum downtime to address RTO. Consequences: Reduction of customers’ trusts and brand equity. Opportunity costs on lost revenues. Lessons: Multi-cloud strategies essential for critical services. Systems should not fail catastrophically. Regional services need harmonised BCP standards..

[Audio] Case Study - Robinhood System Outage (2020) Incident: Platform unavailable during peak volatility, order management system overwhelmed by significantly larger than normal volume. Cloud cost controls have limited horizontal scaling and DNS failover took significant longer than its intended RTO. BCP Relevance: Capacity planning and stress tests did not cover a large enough test load. Cloud architecture planning was based on a single-region deployment for critical components. Status page were also not updated promptly. Consequences: Significant class action settlements of $12.6 million in restitution to thousands of customers and a $57 million penalty. Lessons: The need for better and more refined scenario-based testing. Multi-region dynamic deployment with volume-based auto scaling overrides should be planned..

[Audio] Case Study - Crypto.com Cyber Attack & Account Access Incident (2022) Incident: Unauthorised withdrawals amounting to nearly US$35 million affecting hundreds of account holders. Hackers exploited weaknesses in the platform’s 2FA infrastructure. BCP Relevance: Importance of incident detection, escalation, and containment. Cybersecurity risks must be fully integrated into BCPs, especially for Fintechs handling digital assets. Recovery of customer trust through reimbursement and transparency is critical for continuity. Robust procedures for platform suspension, incident analysis, regulatory reporting and external communications. Consequences: Significant compensation to customers. Lessons: Being able to quickly freeze services, assess the breach and communicate have minimised reputational damage. Need for stronger user authentication controls and real-time fraud detection..

[Audio] Well Done! You have completed the course..