On 21 May 2014, the Monetary Authority of Singapore (the "MAS") issued a circular to financial institutions ("Fls") on system vulnerability assessments and penetration testing.
The circular notes that the growing Internet usage by FIs has increased their exposure to cyber-attacks, rendering them more vulnerable to security breaches such as unauthorised system access, data theft, system outages and website defacement.
Under the MAS Technology Risk Management Guidelines, FIs are expected to implement robust security measures to ensure that their systems and data are well protected against any breach or loss. These measures would include:
- Vulnerability assessments: Continuous monitoring for emergent security exploits, and perform regular vulnerability assessments of IT systems against common and emergent threats;
- Penetration testing: Perform penetration tests on Internet facing systems at least annually; and
- Timely remediation: Establish a process to effectively and timeously remedy issues identified from (a) and (b).
The requirements listed above would similarly apply to outsourced activities. Where an outsourcing arrangement involves the handling of sensitive customer data by the service provider, FIs have to ensure that the data is accorded the same level of protection as if it is processed in-house. Where applicable, stringent requirements for regular vulnerability assessments and penetration testing must be applied to the service providers' environment.