Security Requirements for Singapore Banks ProposedAgency Proposes Mandating Banks Take Six Steps
The Monetary Authority of Singapore is proposing to require financial institutions to implement six security measures to better guard against cyberattacks. But some security experts say the tricky part will be making sure banks actually take the required steps.
MAS is accepting comments on its proposal until October 5, after which it will finalize the mandates.
"Cyber breaches are often the result of insecure system configurations or compromised system accounts. The measures, which are already part of the existing MAS Technology Risk Management Guidelines, are aimed at enhancing the security of FIs' systems and networks as well as mitigating the risk of unauthorized use of system accounts with extensive access privileges," says Tan Yeow Seng, chief cybersecurity officer at MAS.
With Singapore suffering its biggest breach two months ago, which exposed data of about 1.5 million patients who visited organizations that are part of SingHealth, the nation's largest healthcare group, MAS is taking action to avoid a similar incident in the financial sector.
In the wake of the attack, 11 critical service sectors, including banking and finance, were asked to review their connections to untrusted external networks to ensure better protection.
Commenting on MAS's proposal, Aloysius Cheang, CEO at iSyncGroup, an IoT company, says: "I am delighted to find that they are able to articulate specific security controls to mitigate perceived risk. Most regulators would just give a more generic advice without committing to the nuts and bolts that MAS is willing to go down to the details."
Nevertheless, Cheang argues that what's also needed is a change in the mindset of the management of banks, demonstrating their willingness to embrace the advice from MAS. "Hopefully, MAS's legally binding requirement will now force the companies to implement these measures," he says.
As financial companies get more digitized, their risk to cyberattacks increases.
"The proposed notice on cyber hygiene seeks to strengthen the overall readiness of all financial institutions to address cyber threats by delineating a clear and common cybersecurity waterline for the financial industry. This will help ensure that our financial sector as a whole continues to be resilient to cyber threats," Seng says in a statement.
MAS has proposed that banks be required to:
- Address system security flaws in a timely manner;
- Establish and implement robust security for systems;
- Deploy security devices to secure system connections;
- Install anti-virus software to mitigate the risk of malware infection;
- Restrict the use of system administrator accounts that can modify system configurations;
- Strengthen user authentication for system administrator accounts on critical systems.
"In developing the notice, MAS has referred to the cybersecurity guidance and regulations in other major jurisdictions to extract the most relevant and effective hygiene practices for FIs to adopt. These measures, if well implemented, would be effective against a wide range of cyberattacks," says a consultant based in Singapore, who asked not to be named.
Immediately following the SingHealth breach, MAS had advised banks to beef up authentication.
MAS's proactiveness has surprised its critics, who find the organization conservative when it comes to urging banks to adopt new technologies.
"MAS has never been at the forefront of the adoption curve," Cheang says. "They never really advise or enforce the adoption of new technology to solve security issues until it is mature. For example, two-factor technology was only embraced many years down the road after it was more commonly accepted and the risks became well documented and tested and the costs came down."
The Road Ahead
Many security experts argue that MAS needs to influence enterprises to leverage appropriate technologies that can help in early detection of breaches and build a security culture within the organization.
Cheang argues that MAS needs to "prescribe rules on developing customized cyber awareness programs for senior management, mid-management and operational staff within enterprises and compel them to frame policies embedded with strong security and auditing capabilities, which is one way to ensure a cyber-secure environment."
Singapore needs a cybersecurity strategy that directs enterprises and government to become far more engaged in securing both devices and networks, he contends.
Some security experts argue that MAS needs to take bold steps to make sure security recommendations get implemented by banks and other financial institutions.
"Since it is open to public comments, there will be more specific issues and challenges that will be covered. But at the end of it, MAS must devise a mechanism to ensure banks implement the measures without fail," says a security practitioner based in Malaysia, who requested anonymity.