SINGAPORE: Financial institutions must comply with a new set of requirements by next year to “raise the cyber security standards and strengthen cyber resilience” of the sector, the Monetary Authority of Singapore (MAS) said on Tuesday (Aug 6).
The legally binding notice on cyber hygiene sets out the measures that firms and organisations must take to “mitigate the growing risk of cyber threats”. Key elements in the existing MAS technology risk management guidelines will also be made compulsory, the authority added.
READ: Auditor-General highlights weak IT controls, lapses in management of contracts and grants for social programmes
These requirements include having robust security for IT systems, ensuring updates are applied to address system security flaws in a timely manner, and deploying security devices to restrict unauthorised network traffic.
Financial institutions should also implement measures to mitigate the risk of malware infection, secure the use of system accounts with special privileges to prevent unauthorised access and strengthen user authentication for critical systems as well as systems used to access customer information.
These requirements will come into effect on Aug 6, 2020, MAS said.
“Cyber threats in the financial sector are growing as a result of an increased digital footprint and pervasive use of the Internet,” MAS’ chief cyber security officer Tan Yeow Seng said.
“The financial sector needs to remain vigilant and ensure that defences are able to counter varied and evolving threats.
“Good cyber hygiene can go a long way in protecting financial institutions from common types of cyber incursions.
READ: MOH, MSF taking ‘immediate actions’ to rectify lapses flagged in Auditor-General report
“These fundamental and essential measures can be implemented by all financial institutions regardless of size or system complexity.”
In September 2018, MAS sought feedback from the public on the issue. It added that financial institutions “generally welcomed” the measures, and suggested focusing on strengthening user access to systems that store or access customer data, and allowing them more time to implement robust user authentication technology into their critical systems.