MAS (the Monetary Authority of Singapore) has issued a consultation paper proposing six essential cyber security measures that FIs (financial institutions) in Singapore will be required to implement in order to better protect their IT systems.
The move, announced on 6 September, will help FIs strengthen their cyber resilience and defend against cyber attacks.
The six measures, which are already part of the existing MAS Technology Risk Management Guidelines, instruct FIs to:
- Address system security flaws in a timely manner;
- Establish and implement robust security for systems;
- Deploy security devices to secure system connections;
- Install antivirus software to mitigate the risk of malware infection;
- Restrict the use of system administrator accounts that can modify system configurations; and
- Strengthen user authentication for system administrator accounts on critical systems.
According to MAS, these proposed measures act “as a baseline hygiene standard for cyber security by elevating them into legally binding requirements”.
The public consultation will run until 5 October 2018; a copy of the consultation paper can be downloaded from the MAS website.
What does this mean for banks in Singapore?
MAS chief cyber security officer, Tan Yeow Seng, said, “The proposed Notice on Cyber Hygiene seeks to strengthen the overall readiness of all financial institutions to address cyber threats by delineating a clear and common cyber security waterline for the financial industry.
“This will help ensure that our financial sector as a whole continues to be resilient to cyber threats.”
A number of banks have welcomed the proposal and confirmed their commitment to information security.
UOB’s head of group technology and operations, Susan Hwee, told The Straits Times, “In the face of rapid development of technologies and the growing sophistication of financial crime, we remain vigilant and are constantly monitoring developments and enhancing our systems to ensure that we detect and respond to potential cyber security risks and threats promptly.”
ISO 27001 and the MAS cyber security measures
There are similarities between MAS’s proposed cyber security measures and the international standard ISO 27001.
ISO 27001 describes the requirements for an ISMS (information security management system), a best-practice approach that incorporates people, processes and technology.
The Standard is made up of 10 clauses, which define the ISMS requirements, and Annex A, which comprises 114 controls under 14 categories.
|MAS aims/objectives||ISO 27001 clause||Annex A|
|Address system security flaws in a timely manner||6.1.1 and 10.1||12.1.2|
|Establish and implement robust security for systems||6.1.1||12.1.1, 14.2.2 and 14.2.5|
|Deploy security devices to secure system connections||6.1.1||13.1.1 and 13.1.2|
|Install antivirus software to mitigate the risk of malware infection||12.2.1|
|Restrict the use of system administrator accounts that can modify system configurations||9.1.1, 9.1.2, 9.2.3, 9.4.1 and 12.4.3|
|Strengthen user authentication for system administrator accounts on critical systems||9.1.2, 9.2.2, 9.2.4, 9.3.1 and 9.4.2|
How ISO 27001 clauses and Annex A controls map to the proposed cyber security measures
Implementing an ISO 27001-compliant ISMS will put FIs in Singapore in a strong position if the consultation paper is approved.
Benefits of implementing an ISO 27001-compliant ISMS
ISO 27001 certification is growing among organisations in Singapore, with the number of certificates increasing by 89% in the past five years (ISO Survey).
As well as helping FIs meet the proposed cyber security requirements, implementing an ISO 27001-certified ISMS will also help them:
- Avoid financial penalties;
- Protect their information and intellectual property rights;
- Protect their reputation;
- Satisfy audit requirements;
- Gain a competitive advantage with new and existing clients; and
- Build trust globally.