SINGAPORE: The Monetary Authority of Singapore (MAS) on Monday (Jan 18) issued revised guidelines for financial institutions to better mitigate cyber risks, which includes requiring them to have strong oversight of their third-party service providers and technology vendors.
The new guidelines apply to banks, payment services companies, as well as trading and insurance firms.
It comes amid recent cyberattacks around the world, including the so-called SolarWinds incident. Hackers subverted Texas-based software company SolarWinds and used the company as a springboard to jump deep into US government and corporate networks.
"The recent spate of cyberattacks on supply chains, which targeted multiple IT service providers through the exploitation of widely-used network management software, is a clear indication of a worsening cyber threat environment," said MAS in a media release.
"The revised guidelines focus on addressing technology and cyber risks in an environment of growing use by financial institutions (FIs) of cloud technologies, application programming interfaces, and rapid software development."
Among the measures set out in the revised guidelines, financial institutions are expected to exercise "strong oversight" of arrangements with third-party service providers, said Singapore's central bank.
"The FI should assess and manage its exposure to technology risks that may affect the confidentiality, integrity and availability of the IT systems and data at the third party before entering into a contractual agreement or partnership," the guidelines stated.
Financial institutions should also ensure that third-party and open-source software codes are subject to review and testing before integration into their own software.
In addition, cyber exercises should be conducted to allow financial institutions to stress test their cyber defences.
The revised guidelines also provide additional guidance on the roles and responsibilities of the board of directors and senior management of financial institutions.
They should ensure that a chief information officer and chief information security officer, with the requisite experience and expertise, are appointed and made accountable for managing cyber risks, said MAS.
The board itself should include members with the relevant knowledge to provide effective oversight of cyber risks.
"Technology now underpins most aspects of financial services. Not only are financial institutions adopting new technologies, they are also increasingly reliant on third-party service providers," said Mr Tan Yeow Seng, MAS' chief cyber security officer.
"The revised guidelines set out MAS' higher expectations in the areas of technology risk governance and security controls in financial institutions."
MAS said it expects firms to observe the guidelines as this will be considered in its risk assessment of the financial institutions.