New mandatory rules from next year for financial industry to combat cyber threats: MAS

New mandatory rules from next year for financial industry to combat cyber threats: MAS

Financial institutions must comply with a new set of requirements by next year to "raise the cyber security standards and strengthen cyber resilience" of the sector, the Monetary Authority of Singapore (MAS) said on Tuesday (Aug 6). Cheryl Lin reports.

SINGAPORE: Financial institutions must comply with a new set of requirements by next year to "raise the cyber security standards and strengthen cyber resilience" of the sector, the Monetary Authority of Singapore (MAS) said on Tuesday (Aug 6).  

The legally binding notice on cyber hygiene sets out the measures that firms and organisations must take to "mitigate the growing risk of cyber threats". Key elements in the existing MAS technology risk management guidelines will also be made compulsory, the authority added. 

READ: Auditor-General highlights weak IT controls, lapses in management of contracts and grants for social programmes

These requirements include having robust security for IT systems, ensuring updates are applied to address system security flaws in a timely manner, and deploying security devices to restrict unauthorised network traffic.

Financial institutions should also implement measures to mitigate the risk of malware infection, secure the use of system accounts with special privileges to prevent unauthorised access and strengthen user authentication for critical systems as well as systems used to access customer information.

These requirements will come into effect on Aug 6, 2020, and all licensed financial institutions are subject to the notice, the central bank said. Payment service providers like e-wallet providers and firms dealing with cryptocurrencies will also have to follow the new rules. 

The penalties for not complying with the new measures will depend on what is set out in each respective Act for breach of a notice, said MAS in response to CNA's queries.

"For example, if a bank fails to comply with the notice issued under the Banking Act, section 71 of the Banking Act provides that the bank shall be liable on conviction to a fine not exceeding S$100,000 and, in the case of a continuing offence, to a further fine not exceeding S$10,000 for every day or part thereof during which the offence continues after conviction," MAS said.

"Cyber threats in the financial sector are growing as a result of an increased digital footprint and pervasive use of the Internet," MAS' chief cyber security officer Tan Yeow Seng said.

"The financial sector needs to remain vigilant and ensure that defences are able to counter varied and evolving threats. 

"Good cyber hygiene can go a long way in protecting financial institutions from common types of cyber incursions.

READ: MOH, MSF taking ‘immediate actions’ to rectify lapses flagged in Auditor-General report

"These fundamental and essential measures can be implemented by all financial institutions regardless of size or system complexity."

In September 2018, MAS sought feedback from the public on the issue. It added that financial institutions "generally welcomed" the measures, and suggested focusing on strengthening user access to systems that store or access customer data, and allowing them more time to implement robust user authentication technology into their critical systems.

Source: CNA/aa(mi)

Bookmark