Singapore moots 'essential' cybersecurity rules for financial firms
Singapore has proposed a set of cybersecurity rules that financial institutions, including banks, in Singapore must adopt to ensure their IT systems are adequately protected and to beef up their cyber resilience.
The Monetary Authority of Singapore (MAS) on Thursday revealed six "essential cybersecurity measures" that that these local businesses would need to implement. These included attending to security flaws "in a timely manner", deploying security devices to secure system connection, installing antivirus software to mitigate risks of malware infection, and restricting the use of systems administrator accounts that could modify system configuration.
These currently were part of the regulator's Technology Risk Management Guidelines, said MAS, which now was proposing they be instilled as mandatory implementations.
"Cyber breaches are often the result of insecure system configurations or compromised system accounts," the industry regulator said. "These measures...are aimed at enhancing the security of financial institutions' systems and networks as well as mitigating the risk of unauthorised use of system accounts with extensive access privileges. MAS is proposing to stipulate these measures as a baseline hygiene standard for cyber security by elevating them into legally binding requirements."
Its chief cybersecurity officer Tan Yeow Seng added that the proposed measures outlined "a clear and common cybersecurity waterline" to boost the readiness of financial institutions to address cyber threats.
Tan added: "This will help ensure our financial sector as a whole continues to be resilient to cyber threats."
MAS has made details of the proposed measures available for public consultation until October 5.
The banking and finance sector is one of 11 critical information infrastructure (CII) sectors covered under Singapore's cybersecurity bill, which enables the relevant local authorities to take proactive measures to protect these CIIs. The bill outlines a regulatory framework that formalises the duties of CII providers in securing systems under their responsibility, including before and after a cybersecurity incident had occurred.
Singapore in July suffered its "most serious" data breach that compromised personal data of 1.5 million healthcare patients, including that of its Prime Minister Lee Hsien Loong. Following the incident, MAS instructed local banks to tighten up their customer data verification processes and and not to depend solely on the types of data compromised in the breach, including full name, national identification number, and date of birth.