Enhancing IT Disaster Recovery Capabilities
- Calvin Chong
- Aug 8, 2025
- 3 min read
Introduction
On 25th June 2025, the Monetary Authority of Singapore (“MAS”) published a circular to guide Financial Institutions (“FIs”) in strengthening their IT disaster recovery (“DR”) capabilities, emphasizing operational resilience to minimize service disruptions. This article summarises the essence of MAS recommendations derived from past incident reviews.
Key Recommendations from MAS
Weaknesses in an FI’s IT DR capabilities may lead to delayed or ineffective restoration of disrupted systems and financial services, resulting in public inconvenience and loss of confidence in the FI or even jeopardizing the stability of the financial sector. MAS has shared some recommendations in the following areas to assist FIs in enhancing their capabilities in IT DR process.
Area of Focus | Recommendation for FIs |
Third-Party Dependencies | FIs shall identify and document third-party dependencies, especially those are classified as critical services and utilize this data to establish DR protocols that ensure seamless collaboration between the FI and the third parties. FIs shall conduct joint IT DR tests with third parties to validate such collaboration and ensure Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) reliant on third parties can be achieved. |
Real-Time Monitoring of Data Centres | FIs shall deploy real-time monitoring systems to detect anomalies in physical and environmental conditions (e.g., temperature, humidity, smoke).
FIs shall establish defined thresholds and escalation protocols to ensure timely and effective incident response during incident management and DR activation. |
Backup and Recovery | FIs shall establish a robust backup strategy focusing on maintaining data integrity, availability and enabling timely restoration during disruptions.
FIs shall perform restoration tests regularly to validate the effectiveness of the backup arrangements, including simulating realistic disaster scenarios (e.g., ransomware, data corruption, and outages). |
Recovery Readiness of Active-Active Systems1 | FIs shall ensure each site in an active-active setup can independently handle full workloads during a disruption of one another. FIs shall perform failover tests2 regularly to verify that service continuity can be maintained over an extended period in the event of a site failure, without compromising system performance or data consistency. |
Abrupt System Failures and Unscripted Scenarios3 | FIs shall establish their backup protocols to address sudden disruptions (e.g., power outages, equipment failures).
FIs shall integrate unscripted elements into DR testing to more accurately reflect and evaluate real-world conditions and test decision-making during disruptions. |
IT DR Automation | FIs shall automate IT DR processes reduce human error, enhance consistency in execution and expedite the recovery during disruptions.
FIs shall document the automated recovery procedures and conduct regular validation to ensure the effectiveness and recency. FI shall also retain manual recovery capabilities as a contingency to uphold operational resilience in the event of automated procedure failure. |
Summary
The latest MAS circular provides a clear strategic framework for strengthening IT Disaster Recovery capabilities across financial institutions. These guidelines serve as both regulatory requirements and strategic best practices for operational resilience.
FIs are expected to review and assess their current standards against these guidelines to further enhance their capabilities and should consider prioritizing three key action items:
Comprehensive Assessment - Conduct thorough evaluations of existing disaster recovery capabilities against MAS regulatory benchmarks
Targeted Enhancement - Implement strategic improvements across technology infrastructure, operational processes, and testing protocols
Continuous Improvement - Institutionalize resilience through ongoing review and organizational culture development
How We Can Help
As a trusted compliance solutions advisor, we also partner with various IT specialist firms, to assist you in understanding of your IT security, performing GAP analysis and proposing action plans to achieve your operational resilience. Feel free to reach out to us for non-obligatory discussion.
1 A configuration where multiple systems are simultaneously operational and actively handling traffic, providing redundancy and improved performance.
2 A process of evaluating if a system can move applications from the primary location to the recovery site.
3 Examples such as a sudden power surge that damages critical servers and disrupts online services, a cyberattack that encrypts sensitive data and demands a random, a natural disaster that disrupts communication networks and access to essential resources, etc.
Comments