MAS to tighten rules on cyber resilience in finance

It is among moves to boost security as more financial processes are being done digitally

Moves are under way on a range of fronts to beef up security around the increasing number of financial processes being carried out digitally.

One involves the Monetary Authority of Singapore (MAS) raising the regulatory requirements on cyber resilience in the finance industry, a senior MAS officer said yesterday.

Chief cyber security officer Tan Yeow Seng told the Visa Security Summit here yesterday that the MAS will issue a public consultation soon on cyber hygiene.

This will require financial institutions to implement a set of fundamental controls to raise their level of resilience to security threats.

They will also have to conduct independent reviews to ensure that they are compliant with the upcoming rules.

Mr Tan said financial institutions will have to "adopt cyber hygiene practices such as strong authentication, controlled use of administrative privileges and proper patch management".

The move to step up cyber resilience comes amid a growing market for digital payments. Visa estimates that over half of all transactions in Asia-Pacific alone are still in cash. That translates to a US$6.1 trillion (S$8.2 trillion) cash opportunity, said Mr Chris Clark, Visa's group executive for Asia Pacific.

The MAS is also working with the Association of Banks in Singapore to develop guidelines that would define technology risks faced by the financial sector. It will also strengthen collaboration by having banks come together to share information on cyberthreats.

The regulator has partnered with the Financial Services Information Sharing and Analysis Centre to set up its Asia Pacific Regional Analysis Centre. This facility allows financial institutions to share and receive cyberthreat information and other resources tailored for the region, said Mr Tan.

Regulators can also share information on attack tools, modus operandi as well as countermeasures to mitigate the risk of future attacks, he added, noting: "Financial regulators stand to gain from sharing cyberthreat information as it can enhance their supervision and policymaking in respect of cyber risks."

There will also be general standards laid down around the responsibilities of both users and financial institutions when it comes to e-payments. These protections will mean banks must provide users with timely transaction notifications.

Mr Tan noted: "It is important to stress that trust is not simply making financial institutions liable for every loss suffered by a reckless user. It is about being a responsible participant in the payment ecosystem and that includes consumers, financial institutions and fintech firms."

A version of this article appeared in the print edition of The Straits Times on May 18, 2018, with the headline 'MAS to tighten rules on cyber resilience in finance'. Print Edition | Subscribe