Singapore tightens cyber defence guidelines for financial services sector
Singapore has revised its current set of guidelines on technology risk management for financial institutions to include, amongst others, “strong oversight” of their partnerships with third-party service providers to ensure data confidentiality. The updated list also comprises updated guidance on security controls and stress tests as well as the appointment of third-party vendors and senior IT executives.
Detailed under the Technology Risk Management Guidelines, the revisions were made to keep pace with emerging technologies and shifts in the current threat landscape, said the Monetary Authority of Singapore (MAS) in a statement Monday.
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Noting that financial institutions increasingly were tapping cloud technologies and APIs (application programming interfaces), the industry regulatory underscored the need to incorporate security controls and stronger risk mitigation strategies as part of these organisations’ technology development and deployment lifecycle.
“The recent spate of cyber attacks on supply chains, which targeted multiple IT service providers through the exploitation of widely-used network management software, is a clear indication of a worsening cyber threat environment,” it added.
The use of third-party services providers, for instance, likely would be provided using IT and might involve confidential customer data stored by the service provider. Any system failure on security breach on the part of these providers could adversely impact the financial institution’s customers and operations.
The guidelines highlighted the need to assess and manage the company’s exposure to technology risks that might affect the confidentiality and availability of IT systems and data at the third-party service provider, before a contractual agreement or partnership was established. Financial institutions also should ensure, on an ongoing basis, that the third party adopted “a high standard of care and diligence” in safeguarding data confidentiality and integrity as well as system resilience.
In addition, financial institutions must establish processes to enable the “timely analysis and sharing” of cyber threat intelligence within the sector and conduct drills to stress test their cyber defences, via the simulation of real-world attack tactics and procedures.
Stronger oversight should further extend to human skillsets, including contractors and service providers, where financial institutions should ensure all personnel had the requisite competence to perform the necessary IT functions and manage technology risks.
This should include the appointment of CIO or CISO and the financial institution’s board must comprise members with the necessary knowledge to offer “effective oversight of technology and cyber risks”, said MAS.
MAS’ chief cyber security officer Tan Yeow Seng said: “Technology now underpins most aspects of financial services. Not only are financial institutions adopting new technologies, they are also increasingly reliant on third party service providers. The revised guidelines set out MAS’ higher expectations in the areas of technology risk governance and security controls in financial institutions.”