The Monetary Authority of Singapore (MAS) has issued a set of legally binding requirements to raise the standards and strengthen the cyber resilience of the financial sector.
The Notice on Cyber Hygiene states that financial institutions must comply with risk management guidelines within the next 12 months in an effort to strengthen their cyber resilience.
"Cyber threats in the financial sector are growing because of increased digital footprint and pervasive use of the internet," said Tan Yeow Seng, chief cybersecurity officer at MAS. "The financial sector must remain vigilant and ensure that defenses are able to counter varied and evolving threats."
It will now be mandatory for financial institutions to comply with the following requirements:
- establish and implement robust security for IT systems;
- ensure updates are applied to address system security flaws in a timely manner;
- deploy security devices to restrict unauthorised network traffic;
- implement measures to mitigate the risk of malware infection;
- secure the use of system accounts with special privileges to prevent unauthorised access; and
- strengthen user authentication for critical systems as well as systems used to access customer information.
Financial institutions have until August 6, 2020 to comply with the new guidelines.
"Good cyber hygiene can go a long way in protecting financial institutions from common types of cyber incursions as the proposed fundamental and essential measures can be implemented by all financial institutions regardless of size or system complexity," Seng said.
Singapore's central bank has established the new requirements in the wake of recent security incidents, including:
- The leak of data on the HIV-positive status of more than 14,000 patients exposed online, allegedly by a US citizen whose partner was a Singapore doctor with the authority to access the data
- A SingHealth breach that exposed data of about 1.5 million patients, including the prime minister
- The exposure on the internet of personal information of more than 800,000 blood donors for more than nine weeks
MAS had sought feedback from the public and various industrial firms on the proposal to make this suite of cybersecurity measures into legally binding requirements. Financial institutions provided some suggestions regarding implementation, including focusing on strengthening user access to systems that store or access customer data and allowing more time for financial institutions to design, acquire and integrate robust user authentication technology into their critical systems.