MAS plans 6 cyber security rules for financial institutions

The MAS move to tighten cyber security rules for financial institutions comes on the back of more financial processes being done digitally and a rising trend of cyber attacks.
The MAS move to tighten cyber security rules for financial institutions comes on the back of more financial processes being done digitally and a rising trend of cyber attacks.PHOTO: BLOOMBERG

Regulator aims to make measures legally binding; public consultation ends on Oct 5

The Monetary Authority of Singapore (MAS), in a move to tighten cyber security rules for financial institutions (FIs) in Singapore, has proposed making a set of six essential cyber security measures legally binding.

The measures are already part of the existing MAS Technology Risk Management Guidelines, but the financial regulator now aims to make them legally binding.

The move, announced yesterday, comes as more financial processes are being done digitally, and in the face of increasing cyber attacks.

The six measures are to: address system security flaws in a timely manner; establish and implement robust security for systems; deploy security devices for securing system connections; install anti-virus software; restrict the use of system administrator accounts; and strengthen user authentication for these accounts on critical systems.

Breaches often result from insecure system configurations or compromised system accounts, MAS said. The proposed measures will enhance FIs' systems and networks as well as mitigate the risk of unauthorised use of system accounts with extensive access privileges.

A public consultation on the proposed measures was launched yesterday and will end on Oct 5. A copy of the public consultation paper is available on MAS' website.

Banks welcomed the proposed measures and reaffirmed their commitment to keeping sensitive information safe.

UOB head of group technology and operations Susan Hwee said: "In the face of rapid development of technologies and the growing sophistication of financial crime, we remain vigilant and are constantly monitoring developments and enhancing our systems to ensure that we detect and respond to potential cyber security risks and threats promptly."

OCBC Bank's head of group technology services Eugene Lau said recent cyber attacks in the region are a reminder of the vulnerabilities present in increasingly complex IT systems.

"Hence, financial institutions must continue to upkeep their cyber defence capabilities with the latest technologies," Mr Lau said.

OCBC is already internally assessed to comply with regulatory standards and has a comprehensive security protection framework in place, he added.

A spokesman for DBS Bank said that besides its own cyber security technology, it prioritises employee education and collaborations with external parties to keep abreast of evolving threats.

"Going forward, we also expect cyber security thinking to converge with risk management in other areas, such as use of data and risk of insider misuse of computer assets," the spokesman added.

A version of this article appeared in the print edition of The Straits Times on September 07, 2018, with the headline 'MAS plans 6 cyber security rules for financial institutions'. Print Edition | Subscribe