In June 2013, the Monetary Authority of Singapore (MAS) released their Technology Risk Management Guidelines (TRM) advising Singaporean Financial Institutions’ (FI) on how to protect their systems, data, and networks from a magnitude of technology risks. The guidelines set out risk management principles & best practices standards to guide FI’s in establishing a robust technology risk management framework, strengthening their systems security & resiliency and deploying strong authentication to protect customer data, transactions, and systems. While the guidelines are not legally binding, they are statements of industry best practices which FIs are expected to adopt.
However, in the face of ever-increasing Cyber-attacks & Digitalization, the Monetary Authority of Singapore has proposed to make legally binding 6 essential cyber-security measures for all Singapore based financial institutions. Although the Technology Risk Management Guidelines have these recommendations already in place, the regulator has gone a step further to make these mandatory & legally binding.
The six measures include:
- addressing system security flaws in a timely manner,
- establishing and implementing robust security for systems,
- deploying security devices to secure system connections,
- installing anti-virus software to mitigate the risk of malware infection,
- restricting the use of system administrator accounts that can modify system configurations, and
- strengthening user authentication for system administrator accounts on critical systems.
The proposal is aimed at strengthening the overall preparedness of financial institutions and countering cyber breaches, which are due to lack of proper cyber hygiene, insecure system configurations, and compromised accounts. The measures hope to enhance the financial institution’s system security, network security, and privileged access management.
In addition, periodic penetration testing, regular phishing testing, and cybersecurity awareness training for employees will ensure FI’s systems & networks are well safeguarded against external threats & social engineering attacks. FI’s must also ensure they have in place robust business continuity plans, sound cybersecurity policies & the necessary technology investments to enforce those policies.