Our Work

Regulatory Compliance (MAS TRM) and Security

The Client

iSTOX is the first regulated exchange for digitised securities in Asia that is established and operated by ICHX Tech Pte Ltd in 2017.

Licensed by the Monetary Authority of Singapore (MAS) under the Securities and Futures Act (Cap 289), the company is recognised as a known market operator. iSTOX provide investors access to the capital markets in a secure, compliant and cost-effective manner.

The Problem

ICHX offers a platform for issuance, settlement, custody, and secondary trading of digitised securities. In order to offer regulatory-compliant platform, ICHX seeks to ensure that both its application and its own operations comply with the MAS Technology Risk Management (TRM) guidelines and Notice and MAS Guidelines on Outsourcing without breaking or offering a sub-standard platform.

ICHX require financial, technical and regulatory knowledge from partner that support ICHX through their regulatory compliance journey.

The Project

As a result, ICHX requested Pragma to help support in achieving MAS license. The scope of service included:

• Help design, document and test a secure, robust cloud blockchain architecture for their platform.
• Create and implement policies and procedures that meet the requirements of MAS Technology Risk Management Guidelines and Notice and MAS Guidelines on Outsourcing.
• Support the training with processes that can be used by internal teams.
• Perform Penetration and Vulnerability Testing on the platform
• Perform a secure code review and recommend fixes
• Meet with regulators to ensure all compliance requirements are met

The Outcome

Our expert team enabled ICHX to obtain MAS license. We helped them secure their platform’s architecture covering the applications design, network infrastructure design and security design of the processes. This was achieved with our AWS and Security Architects. In addition, we documented 77 polices, procedures and process to obtain a license. These polices and procedures are linked with MAS TRM, and Outsourcing. We performed multiple penetration tests to ensure the platform is tested and robust against attacks.

Working as one team we have worked with ICHX to ensure they achieve the coveted MAS licenses (RMO, CMS) to operate in Singapore.

View our AWS Case Study

Penetration Testing: FPG Insurance

The Client

As Asia’s trusted name in general insurance, FPG provides a comprehensive range of general insurance products for both businesses and individuals, across the Asia Pacific region. FPG had a new website and mobile application to launch. As an insurance company, they are responsible for the safety of their clients’ data and needed a secure environment to reduce any potential cyber breaches.

The Project

The scope of service for FPG systems include a security testing on their mobile application, backend server and web application. The testing began with a thorough scan of the website and mobile applications, followed by a detailed report to illustrate the security issues. In the first round of security assessment, Pragma identified 44 issues, of which 90% of critical issues were successfully remediated while the remaining being issues with acceptable risks during the second round. It took two weeks for our penetration testing team to discover all the vulnerabilities.

The Outcome

Our report serves as a silver bullet for FPG to troubleshoot their potential cyber risks.  We presented a report that links back to FPG’s business objectives, including an executive summary, security risk and severity, the scope of work, and recommended solutions to launch their web applications confidently.

Private Wealth Roboadvisory: Connect by Crossbridge

The Client

With offices in London, Singapore, Monaco and Malta, Crossbridge Capital delivers Wealth Management, Corporate Advisory and Family Office services to entrepreneurs and families globally. Through its CONNECT brand, it also offers a digital advisory platform to investors from Singapore.

Banque Julius Baer, the renowned Swiss private banking group, is a founding minority shareholder of Crossbridge Capital.

The Project

As the first cloud-based RoboAdvisory to go live in a country that prides itself on the stability of its financial sector, and as a firm dedicated to protecting its clients assets, CrossBridge had to get the security of its CONNECT platform just right. Crossbridge hired two security firms: one to provide in depth due diligence on the security of the platform, and help ensure it met the stringent Monetary Authority of Singapore Technology Risk Management Guidelines (MAS TRM), and another to run state of the art penetration testing to ensure no surprises.

The Outcome

Crossbridge CONNECT launched successfully, on time, and continues to offer a digital advisory platform to accredited investors, reducing volatility and enhancing performance through diversification across multiple asset classes. Truly a smarter way to invest.

Incident Response: Company Confidential

The Client

A global insurance group with 15 member companies, our client has a large product line and an enormous global customer base. Like all global corporations, our client outsources some of its business processes to specialist online service providers.

The Project

Our client notified us of a potential incident involving a service provider. We mobilised a specialist team onsite to identify, detect, and analyse unusual operations at the service provider, and trace back to an underlying root cause. We contained and isolated the incident to prevent any further spread, identified the egress points, and worked with the service provider to remediate the incident and identify key upgrades to their security infrastructure to prevent future attacks. We then worked with the client’s team to provide a clear root cause analysis to be submitted to the regulators.

The Outcome

The outcome was equally positive for the two security firms: having worked together successfully once, they banded together to found Pragma Pte and deliver successful outcomes to a wider range of clients.

Identity Governance (SailPoint): Hong Kong Brokerage and Research

The Client

A leading brokerage and investment firm, our client focuses on insitutional brokerage, investment banking and asset management for corporate and institutional clients around the world. Headquartered in Hong Kong and with offices and staff spanning the globe, successful identity and access management is key to protecting its digital assets.

The client choose Sailpoint IdentityIQ, the industry leading Identity Governance solution, as its strength and modular architecture allows for rapid expansion across the enterprise. SailPoint’s stellar industry reputation certainly helped: it has been named a Leader in Gartner’s Identity Governance and Administration (IGA) Magic Quadrant every year the report has been published.

The Project

Pragma worked with the client to rapidly prototype a Sailpoint deployment, mirroring its existing in-house identity platform to allow a seamless upgrade from old to new. Pragma deployed custom connectors to critical apps, and developed flexible approval workflows that The client was able to protect its customers and its reputation from further damage. The eradication of the cyber criminals from the service providers system via our technology and business advice enabled the service provider to update and upgrade their service offering, to ensure minimal future incidents.

Compliance Due Diligence: CMC Markets

The Client

CMC Markets is Singapore’s best trading platform for value, with over 10,000 CFD markets to trade across forex, indices, commodities, shares, ETFs and treasuries. With such a diverse product range, tight control over trading limits is essential to support the risk management functionality that is key to their trading experience.

The Project

CMC required a due diligence attestation on compliance criteria prescribed by the Monetary Authority of Singapore. To enable the attestation we tested the process, procedures and technology implemented by CMC against the compliance criteria. We conducted the design and operational effectiveness for a six months period across all products within the Contract for the Difference (CFD) CMC financial markets services. Our unique consultants have both financial markets, regulatory and technology experience, which was a key requirement in delivering a world class service.

The Outcome

CMC Markets can independently demonstrate via the attestation that CMC are compliant to the regulatory requirements set out by MAS. The attestation enables CMC show comfort to their clients that they can offer CFD products that are both compliant to the regulation and inline to protect clients and CMC.
CMC were the first brokerage in Singapore to be able to show independent compliance to MAS regulations for CFD products.