Cybercrime is increasing at an eye-popping rate.
Each month we witness several cases of hacking or ransomware attempt, low-scale or not. Hackers are getting sophisticated with their attempts and none of the industries is left unturned. The attacks are getting advanced by the hour, and thus government all over the globe is forced to take appropriate yet strict measures to keep such cyber crime attempts under the bay.
Monetary Authority of Singapore (MAS) is one of the super-prompt government organizations to release Risk Management guidelines to the all financial institutions having branch offices in Singapore.
The newer and revised version of the 2008 MAS Internet Banking and Technology Risk Management (IBTRM) was renamed as Technology Risk Management Guidelines (TRM Guidelines) and it took effect on 1st July 2014.
Here are a few guidelines and instructions all Financial institutions need to comply to stay away from scoldings and heavy fines:
MAS Exclusive Guidelines and Compliance Instruction
Precautionary Measures Before the Incident
I. MAS suggests financial institutions to adopt a proper technology risk management framework to manage and mitigate cyber threats in a systematic and consistent way. The framework includes the following instructions:
1. All staff members involved should be allotted specific duties in light of the cyber crime attempts, including recording, monitoring, and analyzing incidents.
2. All organizations should install appropriate security monitoring systems to keep a close eye on any unauthorized activity (external or insider attempts) taking place inside their premises.
3. To detect and divert network intrusion attacks, all organizations are advised to implement network surveillance and monitoring systems. Such tools and systems help in real-time detection of malicious activities.
4. . Review the security logs of network devices, applications, and systems on a regular basis to spot and correct any anomalies present.
5. Make sure to retain system logs for a smooth future investigation process.
6. Subject all your IT system assets to adequate and timely checks to keep any unwarranted misuse, fraudulent modification, deletion, insertion, substitution, or disclosure at bay. All requests to access crucial IT resources should be duly authorized by the resource owner.
7. Third-party, vendors and service providers should be closely monitored and subjected to access restrictions. Disallow them from gaining privileged access to systems without apt supervision.
8. All user access should be uniquely identified to put a stop on unauthorized access. Use two-factor authentication for privileged users and restrict the number of such users. Adopt and maintain audit logging of their system activities.
9. All financial institutions are advised to institute effective risk management practices and internal controls to maintain proper data confidentiality, reliability, security, resiliency, and recoverability across the organization.
10. FI’s should establish and maintain a clear policy on information system asset protection. Appropriate plans should be developed to protect the critical systems.
Risk Assessment & Treatment
1. Once you have the risk identified, do a proper analysis and quantification of the potential impact of the risk on the overall business.
2. Develop a threat and vulnerability matrix for the assessment of the threat’s impact on the IT environment. This matrix is also the perfect way to know risk management priorities in an organization.
3. FI are advised to generate mitigation and control plans for each type of threat identified.
4. The FI should ensure that the costs involved in the risk management well complements the benefits derived from it.
5. FI can also avail insurance cover for insurable risks like recovery and restitution costs.
Risk Monitoring and Reporting
1. All incidents should be appropriately managed to avoid mishandling that might result in a prolonged disruption of IT services.
2. The incident report should include a summarized version of the possible root cause of the incident.
3. All incidents should be reported within 72 hours of realization.