Recently, JPMorgan Chase CEO Jamie Dimon warned that the “biggest vulnerability” for the financial system is the threat of cyber attacks. Hackers, especially those working for nation-states, have grown more sophisticated and more determined, especially as geopolitical tensions rise.
In addition to shoring up their own capabilities, countries are increasingly looking to require their financial institutions to protect themselves. So is the case with Singapore. On September 6, 2018, the Monetary Authority of Singapore (MAS) issued a Consultation Paper on the proposed requirements for Financial Institutions (FIs) in Singapore to implement essential cybersecurity measures to protect their IT systems. The MAS has existing Technology Risk Management Guidelines in place to set out risk management principles and best practice standards for FIs to manage technology and cyber risks.
The proposed Notice on Cyber Hygiene will make it mandatory for FIs to implement the following six cybersecurity measures:
- address system security flaws in a timely manner;
- establish and implement robust security for systems;
- deploy security devices to secure system connections;
- install anti-virus software to mitigate the risk of malware infection;
- restrict the use of system administrator accounts that can modify system configurations; and
- strengthen user authentication for system administrator accounts on critical systems.
While the above measures are not groundbreaking per se, and while other jurisdictions like New York’s Department of Financial Services already require similar—if not even more rigorous measures and plans—they form part of the initiatives by MAS to strengthen the overall cyber resilience of FIs within Singapore. In fact, MAS states that in developing the Notice, it “has referred to the cyber security guidance and regulations in other major jurisdictions to extract the most relevant and effective hygiene practices for FIs to adopt.”
MAS recognizes that many of the cyber breaches which occurred globally were often due to poor cyber hygiene such as insecure system configurations or compromised system accounts. The prescribed measures are aimed at enhancing the security of FI systems and networks as well as mitigating the risks of unauthorized use of system accounts. MAS also focuses on proactive plans and will expect companies to live up to those plans. So far, the recommendations are largely tech-neutral, in recognition of the fact that technologies change faster than regulations are updated. That said, MAS does require multi-factor authentication, which is quickly emerging as a technological best practice to help prevent phishing scams which so often form the basis of cyber attacks.
Other initiatives by the MAS include a review of the Technology Risk Management Guidelines (last updated in June 2013) and a partnership with the Financial Services Information Sharing and Analysis Center (FS-ISAC) to establish its Asia Pacific Regional Analysis Center in Singapore. The Regional Center supports member financial institutions across nine Asia Pacific countries, allowing them to share and receive cyber threat information and other resources tailored for the region. In turn, this will build a sense of solidarity among stakeholders in the financial ecosystem. The public consultation on the proposed Notice on Cyber Hygiene is open until October 5.