MAS proposes legally-binding cyber security measures for all Singapore financial institutions

THE Monetary Authority of Singapore (MAS) has moved to tighten the rules on cyber security for financial institutions (FIs) in Singapore by proposing to make legally binding a set of six essential cyber security measures to protect their IT systems.

The measures are already part of its existing MAS Technology Risk Management Guidelines, but the financial regulator is proposing to raise them into legally binding requirements.

The move comes as more financial processes are being done digitally, and in the face of increasing cyber attacks .

The six measures are:

- addressing system security flaws in a timely manner

- establishing and implementing robust security for systems

- deploying security devices to secure system connections

- installing anti-virus software to mitigate the risk of malware infection

- restricting the use of system administrator accounts that can modify system configurations, and

- strengthening user authentication for system administrator accounts on critical systems.

The move is aimed at countering cyber breaches, which are often the result of insecure system configurations or compromised system accounts, said MAS in a press release on Thursday. The proposed measures are aimed at enhancing the security of FIs’ systems and networks as well as mitigating the risk of unauthorised use of system accounts with extensive access privileges.

Said MAS chief cyber security officer Tan Yeow Seng: “The proposed notice on cyber hygiene seeks to strengthen the overall readiness of all financial institutions to address cyber threats by delineating a clear and common cyber security waterline for the financialindustry. This will help ensure that our financial sector as a whole continues to be resilient to cyber threats.”

Cyber security has been in the spotlight in Singapore since July 10 when news broke of a massive data breach at the SingHealth cluster of public hospitals. The nation's worst cyber attack compromised the private data of 1.5 million SingHealth patients, including the medical prescriptions of Prime Minister Lee Hsien Loong.

In the wake of the attack, 11 critical service sectors, including banking and finance,  were asked to review their connections to untrusted external networks or ensure better protection if they could justify the need for these connections. 

MAS has launched a public consultation on its proposed measures, which will be open to feedback from Sept 6 to Oct 5.