The Monetary Authority of Singapore (MAS) requires all financial institutions to comply with a new set of requirements by next year to raise the cybersecurity standards and strengthen cyber resilience.
The cyber hygiene notice sets out the measures that organisations must comply with mitigating the growing risk of cyber threats. Key elements in the existing MAS technology risk management guidelines will also be made compulsory.
These requirements include having robust security for IT systems, ensuring updates are applied to address system security flaws promptly, and deploying security devices to restrict unauthorised network traffic.
Financial institutions should also implement measures to mitigate the risk of malware infection, secure the use of system accounts with special privileges to prevent unauthorised access and strengthen user authentication for critical systems as well as systems used to access customer information.
The central bank said these requirements would come into effect on Aug 6, 2020, and all licensed financial institutions are subject to the notice. Payment service providers like e-wallet providers and firms dealing with cryptocurrencies will also have to follow the new rules.
CyberSecurity Asean spoke to Olli Jarva, Managing Consultant of Synopsys Software Integrity Group and Clement Lee, Principal Security Architect, APJ of Check Point Software Technologies to get their views on this.
Olli said the latest move from MAS to impose new cyber hygiene rules for all financial services and e-payment firms is a timely action that should be welcomed by consumers and companies alike. While the financial services sector is relatively mature in terms of their software security posture, many of them are still struggling with a rapidly evolving technology landscape and facing increasingly sophisticated adversaries. Be it a shift to cloud or new ways of payment services; history has shown that there is a significant need for improvement in supply chain risk management.
Clement pointed out that this is simple hygiene that should have been expected from a standard security operation. The fact that MAS has to run this down to elements means that they found technology risk management (TRM) misinterpreted or misinformed. A security practice is only as strong as the weak implementation, and its importance depends heavily on the organisation's risk posture.
According to Olli, based on the 2019 survey on “The State of Software Security in the Financial Services Industry” published by Synopsys Cybersecurity Research Center (CyRC) and Ponemon Institute, it was revealed that more than half of the respondents have experienced system failure or downtime or theft of sensitive customer data due to insecure software or technology. Unsurprisingly, the study shows that more organisations are effective in detecting and containing cyber attacks than in preventing attacks.
He explained that the big positive impact that the MAS rules on the new cyber hygiene and cybersecurity standards are that it can boost consumer confidence and trust on the new and current services from the financial services industry be it from established stalwarts or startups.