New cyber hygiene rules for financial sector from next Aug

With rising threats, financial institutions licensed by the MAS, including banks and stock brokerage firms, will have to comply with the cyber hygiene rules.
With rising threats, financial institutions licensed by the MAS, including banks and stock brokerage firms, will have to comply with the cyber hygiene rules.PHOTO: REUTERS

Measures include regular anti-virus software updates, validation of admin account access

All financial services and e-payment firms here must follow a set of cyber hygiene rules from August next year, with Singapore's central bank stepping up efforts to strengthen the sector's defence against rising threats.

The Monetary Authority of Singapore (MAS) announced the mandatory rules yesterday, saying the sector will be more exposed to risks when it opens up to more technology players including e-wallet services and cryptocurrency firms.

E-payment firms include GrabPay and Singtel Dash, while companies like Binance Singapore and Luno are involved in the cryptocurrency business.

The MAS said the 1,600-plus financial institutions it licensed, including banks and stock brokerage firms, will have to comply with the cyber hygiene rules.

It is the first financial authority in the world to mandate cyber hygiene, which includes the need for strong passwords, multi-factor authentication and firewalls to restrict unauthorised network traffic.

These measures - which include regular updates of anti-virus software and validation of who has access to administrative accounts - are legally binding and those who fail to comply may face sanctions.

The MAS' toughened stance follows two years of consulting with the industry and a spate of data breaches globally.

MAJOR PROBLEM

When we looked at all the incidents that happened globally and in Singapore, we realised that 90 per cent of them are a result of basic cyber hygiene not being followed.

MR VINCENT LOY, assistant managing director of technology at MAS, on the need for cyber hygiene rules.

"When we looked at all the incidents that happened globally and in Singapore, we realised that 90 per cent of them are a result of basic cyber hygiene not being followed," said Mr Vincent Loy, assistant managing director of technology at MAS, in an interview with The Straits Times.

The most recent massive breach took place in March and involved the account and credit card applications of some 106 million American customers of US bank Capital One.

In Singapore, a breach in June last year saw the personal data of 1.5 million SingHealth patients and the outpatient prescription information of 160,000 people stolen. It was billed as Singapore's worst data breach.

The Capital One intrusion occurred through a misconfigured Web application firewall that enabled access to the data.

"All the cyber security incidents confirmed the need for a set of cyber hygiene rules, which we first thought of having two years ago," said Mr Loy, who oversees all things technology, data and cyber security related at MAS.

He took on the senior management role, a newly created position, two months ago. He joined from consulting firm Accenture, where he was its financial services leader in Singapore.

Explaining why the financial sector often has to take the lead in risk management, Mr Loy said: "Unlike other sectors, the impact of cyber breaches in the financial services sector is much more immediate and pronounced as we are dealing with money and customers' confidential data."

This is also why Singapore has introduced the new Payment Services Act, slated to be in force from next January.

The Act will streamline the regulation of all payment services, including previously unregulated ones such as the e-wallet services of tech companies and cryptocurrency firms.

Mr Loy said these firms may not have thought about cyber hygiene and could be a "weak link" in Singapore's financial services sector.

When contacted, Singtel, Nets and Grab said they would comply with the new rules.

The MAS is also consulting the industry on whether it is feasible to impose on critical payment system operators like Nets other measures that banks have to comply with. These include a maximum unscheduled downtime of four hours a year and reporting to the MAS within one hour of any service failure.

A version of this article appeared in the print edition of The Straits Times on August 07, 2019, with the headline 'New cyber hygiene rules for financial sector from next Aug'. Print Edition | Subscribe