E-briefing: Financial Institutions in Singapore to strengthen their cyber resilience - Monetary Authority of Singapore consults on cyber security measures
Recently, JP Morgan CEO, Jamie Dimon, warned that the “biggest vulnerability” for the financial system is the threat of cyber attacks. Hackers, especially those working for nation-states, have grown more sophisticated and more determined, especially as geopolitical tensions rise.
In addition to shoring up their own capabilities, countries are increasingly looking to require their financial institutions to protect themselves. So is the case with Singapore. On 6 September 2018, the Monetary Authority of Singapore (“MAS”) issued a Consultation Paper on the proposed requirements for Financial Institutions (“FIs”) in Singapore to implement essential cyber security measures to protect their IT systems. The MAS has existing Technology Risk Management Guidelines in place to set out risk management principles and best practice standards for FIs to manage technology and cyber risks.
The proposed Notice on Cyber Hygiene will make it mandatory for FIs to implement the following six cyber security measures:
- address system security flaws in a timely manner;
- establish and implement robust security for systems;
- deploy security devices to secure system connections;
- install anti-virus software to mitigate the risk of malware infection;
- restrict the use of system administrator accounts that can modify system configurations; and
- strengthen user authentication for system administrator accounts on critical systems.
While the above measures are not groundbreaking per se, and while other jurisdictions like New York’s Department of Financial Services already require similar—if not even more rigorous measures and plans-- they form part of the initiatives by MAS to strengthen the overall cyber resilience of FIs within Singapore. In fact, MAS states that in developing the Notice, it “has referred to the cyber security guidance and regulations in other major jurisdictions to extract the most relevant and effective hygiene practices for FIs to adopt.”
MAS recognizes many of the cyber breaches which occurred globally were often due to poor cyber hygiene such as insecure system configurations or compromised system accounts. The prescribed measures are aimed at enhancing the security of FI’s systems and networks as well as mitigating the risks of unauthorized use of system accounts. MAS also focuses on proactive plans, and will expect companies to live up to those plans. So far, the recommendations are largely tech-neutral, in recognition of the fact that technologies change faster than regulations are updated. That said, MAS does require multi-factor authentication, which is quickly emerging as a technological best practice to help prevent phishing scams which so often form the basis of cyber attacks.
Other initiatives by the MAS include a review of the Technology Risk Management Guidelines (last updated in June 2013) and a partnership with the Financial Services Information Sharing and Analysis Centre (FS-ISAC) to establish its Asia Pacific Regional Analysis Centre in Singapore. The Regional Centre supports member financial institutions across nine Asia Pacific countries, allowing them to share and receive cyber threat information and other resources tailored for the region. In turn, this will build a sense of solidarity among stakeholders in the financial ecosystem.
The public consultation on the proposed Notice on Cyber Hygiene is open until 5 October.
Partner, Eversheds Harry Elias LLP
 See “Consultation Paper on Notice on Cyber Hygiene,” Monetary Authority of Singapore (6 September 2018), available at http://www.mas.gov.sg/News-and-Publications/Consultation-Paper/2018/Cons...
 See “Riding the Waves of Technology Innovation – The Nexus between Payments and Cybersecurity,” Keynote Speech by Mr Tan Yeow Seng, Chief Cyber Security Officer, Monetary Authority of Singapore (17 May 2018), available at http://www.mas.gov.sg/News-and-Publications/Speeches-and-Monetary-Policy....