The Monetary Authority of Singapore (MAS) has moved to tighten the rules on cyber security for financial institutions in Singapore by proposing to make legally binding a set of six essential cyber-security measures to protect their IT systems.
The measures are already part of the existing MAS Technology Risk Management Guidelines, but the financial regulator is proposing to raise them into legally binding requirements.
The move comes as more financial processes are being done digitally, and in the face of increasing cyber attacks.
The six measures are:
– addressing system security flaws in a timely manner;
– establishing and implementing robust security for systems;
– deploying security devices to secure system connections;
– restricting the use of system administrator accounts that can modify system configurations; and
– strengthening user authentication for system administrator accounts on critical systems.
The move is aimed at countering cyber breaches, which are often the result of insecure system configurations or compromised system accounts, said the MAS in a press statement on Thursday (Sept 6). The proposed measures are aimed at enhancing the security of financial institutions’ systems and networks as well as mitigating the risk of unauthorised use of system accounts with extensive access privileges.
Said MAS chief cyber security officer Tan Yeow Seng: “The proposed notice on cyber hygiene seeks to strengthen the overall readiness of all financial institutions to address cyber threats by delineating a clear and common cyber-security waterline for the financial industry. This will help ensure that our financial sector as a whole continues to be resilient to cyber threats.”
Cyber security has been in the spotlight in Singapore since July 10 when news broke of a massive data breach at the SingHealth cluster of public hospitals. The nation’s worst cyber attack compromised the private data of 1.5 million SingHealth patients, including the medical prescriptions of Prime Minister Lee Hsien Loong.
In the wake of the attack, 11 critical service sectors, including banking and finance, were asked to review their connections to untrusted external networks or ensure better protection if they could justify the need for these connections.
The MAS has launched a public consultation on its proposed measures, which will be open to feedback from Thursday (Sept 6) to Oct 5. A copy of the public consultation paper is available on its website.