Panel Offers Cybersecurity Advice to Sinagpore's BanksBoard Should Set Expectations; Supply Chain Risks Must Be Addressed
Financial institutions' boards as well as senior management should set clear expectations for cyber risk management and then carefully monitor the efforts, according to the Monetary Authority of Singapore's Cybersecurity Advisory Panel.
The panel, which recently convened to discuss the financial sector's cybersecurity challenges, also stresses the need to effectively manage cybersecurity risks in IT supply chain in financial institutions, according to an announcement from the Montetary Authority of Singapore.
"Given the interconnectedness in the financial ecosystem and the borderless nature of cyber threats, the financial sector must work closely together to manage cyber risks, strengthen our cyber resilience and ensure the smooth and safe delivery of key financial services," Vincent Loy, assistant managing director, technology at MAS, said in welcoming the panel during MAS's 3rd Cybersecurity Advisory Panel meeting.
Commenting on the risk management challenges facing financial institutions in Singapore, Lena Ng of the consultancy Clifford Chance tells Information Security Media Group: "While the FIs are guided by the technology risk management guidelines prescribed by the Monetary Authority of Singapore, there is no [law] to adhere to, which is a big challenge among organizations."
One way to address this, she says, is to take a top-down approach in handling cyber risks, making it a board-level discussion. "It is important to enable the security teams to map the board's risk agenda and make it binding to comply with the regulatory guidelines," Ng says.
Tan Yeow Seng, chief cybersecurity officer at MAS, recently noted in a statement: "Cyber threats in the financial sector are growing because of increased digital footprint and pervasive use of the internet, and good cyber hygiene can go a long way in protecting financial institutions from common types of cyber incursions. The proposed fundamental and essential measures can be implemented by all financial institutions regardless of size or system complexity."
The Cybersecurity Agency of Singapore also recently advised financial institutions to run a systematic cyber risk management program, weighing key security, cost and functionality factors.
The panel also advised financial institutions to maintain good situational awareness of the cyberthreat landscape.
Panel members encouraged MAS to continue working with the industry to strengthen cyber monitoring and surveillance capabilities and deepen cyber intelligence-sharing networks with both global and local partners, the note said.
The MAS recently partnered with the Singapore Chapter the Financial Services Information Sharing and Analysis Center to establish the Asia Pacific Regional Intelligence and Analysis Center to encourage regional sharing and analysis of cybersecurity information within the financial services sector.
The objective of that partnership is to bolster the quality and timeliness of cyberthreat intelligence received by financial institutions, strengthen cybersecurity risk management and response as well as champion cybersecurity programs and initiatives in the APAC region, says Sopendu Mohanty, MAS chief fintech officer.
Managing Supply Chain Cyber Risks
Loy points out that IT supply chains are increasingly being targeted and exploited by cybercriminals. The panel recommended that financial institutions should have in place an effective multilayered defense, with measures, such as source code reviews, system integrity checks and network anomaly detection, to mitigate these risks, the release noted.
The Cybersecurity Agency of Singapore in its cybersecurity guidelines advises financial institutions to adopt a "security by design" approach in the system development lifecycle process to ensure that applications and systems are built, deployed, maintained, upgraded and disposed of securely.
To beef up cybersecurity in the financial sector, MAS has recently collaborated with Bank of England and Financial Conduct Authority of UK to identify effective ways to share information and explore potential for staff exchanges.