Central Bank Spells Out Essential Steps
The Monetary Authority of Singapore, the nation's central bank, has mandated that financial institutions comply with risk management guidelines within the next 12 months in an effort to strengthen the cyber resilience of these organizations.
Complying with the risk management guidelines is legally binding for banks, insurance brokers, financial advisers, financial holding companies, e-payment companies and capital markets. Over 1,600 of these firms are licensed by the central bank.
"Cyber threats in the financial sector are growing because of increased digital footprint and pervasive use of the internet," says Tan Yeow Seng, chief cybersecurity officer at MAS. "The financial sector must remain vigilant and ensure that defenses are able to counter varied and evolving threats."
The guidelines require that financial institutions:
Ensure patching updates are applied to address system security flaws in a timely manner;
Deploy security devices to restrict unauthorized network traffic;
Implement measures to mitigate the risk of malware infections;
Secure the use of system accounts with special privileges to prevent unauthorized access;
Strengthen user authentication for critical systems as well as systems used to access customer information.
Financial institutions have until Aug. 6, 2020 to comply with all the new guidelines.
"Good cyber hygiene can go a long way in protecting financial institutions from common types of cyber incursions as the proposed fundamental and essential measures can be implemented by all financial institutions regardless of size or system complexity," Seng says.
Commenting on the new requirements, Singapore-based Aloysius Cheang, board director and EVP for APAC at the Center for Strategic Cyberspace and International Studies, says: "The cyber hygiene guidelines are best practices targeted at [preventing] mobile payment fraud. New authentication mechanisms like facial recognition and other risk management frameworks are now made mandatory; any violation to comply with them will have legal ramifications, and the organizations will be penalized."
Rising Breaches: A Concern
Singapore's central bank has established the new requirements in the wake of recent security incidents, including:
The leak of data on the HIV-positive status of more than 14,000 patients exposed online, allegedly by a U.S. citizen whose partner was a Singapore doctor who had authority to access the data;
A SingHealth breach that the exposed data of about 1.5 million patients, including the prime minister;
The exposure on the internet of personal information of more than 800,000 blood donors for more than nine weeks;
"When we looked at all incidents that happened globally and in Singapore, we realized that 90 percent are a result of basic cyber hygiene not being followed," Vincent Loy, assistant managing director of technology at MAS, told The Straits Times. "All cybersecurity incidents confirmed the need for cyber hygiene rules, which we first thought of having two years ago."
The guidelines could help banks shore up their security controls, Cheang says.
To help financial institutions build a robust cybersecurity framework, Seng says, "we are enabling financial institutions to take time to design, acquire and integrate robust user authentication technology into their critical systems."
Singapore's Parliament soon will vote on new breach notification requirements, and the new security requirements for financial institutions could play a role in helping minimize breach risks, Cheang says.
Lena Ng, a Singapore-based counsel and consultant at the risk management firm Clifford Chance, says MAS worked with the Personal Data Protection Committee closely in determining risks for the financial sector to put in place regulations that would help the banks in building a robust security posture.
Other Cybersecurity Measures
Earlier, MAS launched a Cybersecurity Capabilities grants program to provide a total of 30 million Singapore dollars ($22 million) to support developing advanced cybersecurity functions at financial institutions.
The grants will fund up to 50 percent of qualifying expenses, capped at S$3 million for each project, for financial institutions to establish global or regional cybersecurity centers of excellence in Singapore.
"The grants will support financial institutions with key global or regional cybersecurity functions and operations in Singapore to expand and deepen their cybersecurity capabilities locally," Seng says.
In addition, MAS partnered with the Singapore Chapter the Financial Services Information Sharing and Analysis Center to establish the Asia Pacific Regional Intelligence and Analysis Center to encourage regional sharing and analysis of cybersecurity information within the financial services sector.
Sopendu Mohanty, chief fintech officer at MAS, says: "The objective behind partnering with FSISAC is to bolster the quality and timeliness of cyber threat intelligence received by financial institutions, strengthen cybersecurity risk management and response as well as champion cybersecurity programs and initiatives in the APAC region."
And in a new initiative to drive innovations in the financial sector, MAS launched Sandbox Express to provide firms with a faster option to test innovative financial products and services in the market.
Source: Bank Info Security