SINGAPORE - All financial services and e-payment firms in Singapore must follow a set of cyber hygiene rules from August next year, with Singapore's central bank stepping up efforts to strengthen the sector's defence against rising threats.
The Monetary Authority of Singapore (MAS) announced the mandatory rules on Tuesday (Aug 6), saying the sector will be more exposed to risks when it opens up to more technology players including e-wallet services and cryptocurrency firms.
E-payment firms include players such as GrabPay and Singtel Dash, while companies like Binance Singapore and Luno are involved in the cryptocurrency business.
The MAS said financial institutions it licenses, including banks and stock brokerage firms, will have to comply with the cyber hygiene rules.
There are currently over 1,600 firms licensed by the central bank.
It is the first financial authority in the world to mandate cyber hygiene, which includes the need for strong passwords, multi-factor authentication and firewalls to restrict unauthorised network traffic.
These measures - which also include regular updates of anti-virus software and validation of who has access to administrative accounts - are legally binding, and those who fail to comply may face sanctions.
The MAS' toughened stance follows two years of consulting with the industry and a spate of data breaches globally.
"When we looked at all the incidents that happened globally and in Singapore, we realised that 90 per cent of them are a result of basic cyber hygiene not being followed," said Mr Vincent Loy, assistant managing director of technology at the MAS, in an interview with The Straits Times.
The most recent massive breach took place in March this year and involved the account and credit card applications of some 106 million American customers of US bank Capital One.
In Singapore, a breach in June last year saw the personal data of 1.5 million SingHealth patients and the outpatient prescription information of 160,000 people stolen.
It was billed as Singapore's worst data breach.
The Capital One intrusion occurred through a misconfigured Web application firewall that enabled access to the data.
"All the cyber security incidents confirmed the need for a set of cyber hygiene rules, which we first thought of having two years ago," said Mr Loy, who oversees all things related to technology, data and cyber security at the MAS.
He took on the senior management role, a newly created position, two months ago. He joined from consulting firm Accenture, where he was its financial services leader in Singapore.
Explaining why the financial sector often has to take the lead in risk management, Mr Loy said: "Unlike other sectors, the impact of cyber breaches in the financial services sector is much more immediate and pronounced, as we are dealing with money and customers' confidential data."
This is also why Singapore has introduced the new Payment Services Act, slated to be in force from January 2020.
The Act will streamline the regulation of all payment services including previously unregulated ones such as the e-wallet services of tech companies and cryptocurrency firms.
Mr Loy said these firms may not have thought about cyber hygiene and could be a "weak link" in Singapore's financial services sector.
The MAS is also consulting the industry on whether it is feasible to impose on critical payment system operators like Nets other measures currently imposed on banks.
They include a maximum unscheduled downtime of four hours a year and reporting to the MAS within one hour of any service failure.
When contacted, Singtel and Grab said they would comply with the new rules.
