How long do I have to notify MAS of a cyber incident?

One hour from the time you discover a relevant incident. The clock comes from the MAS Notices that bind banks, capital markets services, insurers, and other regulated financial institutions — not from the TRM Guidelines themselves. MAS Notice 644 (banks), Notice SFA04-N06 (capital markets), and Notice 127 (insurance) all impose substantively the same 1-hour initial notification.

Does the MAS 1-hour rule apply to AWS workloads?

Yes. MAS supervises the regulated financial institution, not the cloud provider. Running on AWS does not transfer or dilute the notification obligation. The 1-hour clock applies regardless of whether the incident is in your application code, a misconfigured AWS resource, or an AWS-side service disruption that materially affects your customers.

What is a 'relevant incident' under MAS TRM?

A system malfunction or IT security incident that has a severe and widespread impact on the financial institution's operations, or a material impact on its service to customers. Cyber attacks that disrupt customer-facing services, unauthorised access to critical systems, and significant data theft or leakage are the canonical examples. Use the severity criteria in your IT Risk Management framework — MAS expects you to have one — to decide consistently.

Do I need to keep data in Singapore for MAS compliance?

Not strictly. MAS does not impose a hard data localisation rule for cloud workloads. It does expect rigorous outsourcing governance, including the right to audit and a workable exit plan, which is easier to demonstrate when production data and logs are in ap-southeast-1. For incident response specifically, keep CloudTrail and security logs in Singapore — having to negotiate cross-border evidence transfers during a 1-hour window is a strategy that loses.

Can my MSSP or IR partner make the MAS notification?

The notification obligation rests with the regulated financial institution. An MSSP can draft, prepare, and physically send the notification, but the named accountable person inside the FI must be in the loop and visible to MAS. Have written authority in place and have your relationship manager's direct number programmed in advance — MAS expects to hear from someone who can speak for the institution, not a third-party support engineer.

What does MAS expect after the initial 1-hour notification?

A root cause and impact analysis report within 14 days of the incident, followed by a final remediation report. The 14-day report is a substantive document covering technical root cause, timeline, customer impact, regulatory implications, immediate remediation, and longer-term measures. Start drafting it during the incident, not after.

MAS TRM and AWS Incident Response: Hitting the 1-Hour Notification Window

Inside the guide

The Monetary Authority of Singapore requires regulated financial institutions to notify within one hour of discovering a relevant IT or cyber security incident, followed by a root cause and impact report within 14 days. The 1-hour clock is the tightest cyber incident notification deadline in major jurisdictions and is non-negotiable. Hitting it on AWS requires three things in place before an incident: an unambiguous internal severity model that maps to MAS's "severe and widespread" / "material customer impact" tests, a pre-staged notification path to your MAS relationship manager and after-hours channel, and an AWS-native detection stack in ap-southeast-1 that can confirm scope in minutes rather than hours.

The full regulatory rule, plain-language
An hour-by-hour (or day-by-day) runbook
The pre-incident AWS hardening that meets the standard
Common mistakes seen in practice
What to do this week to get ahead

Frequently asked questions

How long do I have to notify MAS of a cyber incident?: One hour from the time you discover a relevant incident. The clock comes from the MAS Notices that bind banks, capital markets services, insurers, and other regulated financial institutions — not from the TRM Guidelines themselves. MAS Notice 644 (banks), Notice SFA04-N06 (capital markets), and Notice 127 (insurance) all impose substantively the same 1-hour initial notification.
Does the MAS 1-hour rule apply to AWS workloads?: Yes. MAS supervises the regulated financial institution, not the cloud provider. Running on AWS does not transfer or dilute the notification obligation. The 1-hour clock applies regardless of whether the incident is in your application code, a misconfigured AWS resource, or an AWS-side service disruption that materially affects your customers.
What is a 'relevant incident' under MAS TRM?: A system malfunction or IT security incident that has a severe and widespread impact on the financial institution's operations, or a material impact on its service to customers. Cyber attacks that disrupt customer-facing services, unauthorised access to critical systems, and significant data theft or leakage are the canonical examples. Use the severity criteria in your IT Risk Management framework — MAS expects you to have one — to decide consistently.
Do I need to keep data in Singapore for MAS compliance?: Not strictly. MAS does not impose a hard data localisation rule for cloud workloads. It does expect rigorous outsourcing governance, including the right to audit and a workable exit plan, which is easier to demonstrate when production data and logs are in ap-southeast-1. For incident response specifically, keep CloudTrail and security logs in Singapore — having to negotiate cross-border evidence transfers during a 1-hour window is a strategy that loses.
Can my MSSP or IR partner make the MAS notification?: The notification obligation rests with the regulated financial institution. An MSSP can draft, prepare, and physically send the notification, but the named accountable person inside the FI must be in the loop and visible to MAS. Have written authority in place and have your relationship manager's direct number programmed in advance — MAS expects to hear from someone who can speak for the institution, not a third-party support engineer.
What does MAS expect after the initial 1-hour notification?: A root cause and impact analysis report within 14 days of the incident, followed by a final remediation report. The 14-day report is a substantive document covering technical root cause, timeline, customer impact, regulatory implications, immediate remediation, and longer-term measures. Start drafting it during the incident, not after.