The Monetary Authority of Singapore (MAS) updates its technology risk management guide for financial institutions in the as cyberthreats loom large

The Monetary Authority of Singapore (MAS) updates its technology risk management guide for financial institutions in the as cyberthreats loom large. Source: AFP

Singapore tightens finance sector cybersecurity in wake of recent attacks

  • Cyberattacks targetting financial institutions have been on the rise globally
  • As one of the most cyber-ready regions in Asia, the Monetary Authority of Singapore has revised its technology risk management guide for financial institutions

Singapore’s financial regulator (MAS) has once again revised its technology risk management guide for financial institutions, to also protect data confidentiality and enforce “strong oversight” of partnerships with third-party service providers.

The updated changes to the MAS’ Technology Risk Management Guidelines also include new guidance on security controls and stress tests for finance systems as well as guidance on the appointment of third-party vendors and senior IT executives.

The Monetary Authority of Singapore said in a statement last week that the new revisions on top of the previous recommended guidelines are intended to help businesses and financial institutes on the island to keep pace with the ever-evolving technologies as well shifts in the current cybersecurity threat landscape.

Cyber intrusions have been picking up on a global scale, with wider and more pervasive consequences for organizations, individuals, and governmental infrastructure. For instance, the hacking of US-based SolarWinds, a leading provider of IT management software, had subjected hundreds of thousands of firms and government entities around the world to risks.

SolarWinds’ IT management tools are common components in the products of many large vendors including Microsoft, FireEye, and Cisco Systems. Tan Yeow Seng, the MAS chief cybersecurity officer, told the Straits Times that financial institutions are increasingly reliant on third-party service providers as they adopt new technologies.

With nationwide digitalization on the uptrend, finance companies are increasingly relying on third-party cloud systems and integrating external application programming interfaces (APIs), increasing the risk of exposed endpoints and overlooked cyber vulnerabilities as companies become more and more used to a patchwork ecosystem comprising of many vendors and support services.

“The recent spate of cyberattacks on supply chains, which targeted multiple IT service providers through the exploitation of widely-used network management software, is a clear indication of a worsening cyber threat environment,” reads the statement from the Monetary Authority of Singapore.

Hence the revised regulatory framework spotlights the need to incorporate security controls, and to implement stronger risk mitigation strategies that should ideally become a fixed component of the organization’s tech deployment lifecycle.

The guidelines highlighted the need to assess and manage the company’s exposure to technology risks before a contractual agreement or partnership is reached with an external provider, as that might affect not only the confidentiality of the data, but the exposure risk of both the data and the IT systems at the third-party service provider.

Singapore is the top territory in Southeast Asia and the Asia Pacific region as a whole with the highest cybersecurity readiness rating, according to the Deloitte Cyber Smart Index, and its promptness to update its cyber guidelines to protect its financial services underscores this point yet again.

Australia has also recently outlined a $65 million national cybersecurity framework to protect its exposed small and medium businesses, after the country was allegedly the target of state-sponsored cyberattacks targeting critical government infrastructure and private enterprises.

Not long after, New Zealand’s central bank was the latest in a series of high-level financial institutions compromised by bad actors. And just this week, a group of hacker activists calling themselves Anonymous Malaysia threatened to attack Malaysian government websites and other online assets, claiming the government had done little to curb the many data breaches and sales of personal information of Malaysian citizens in recent years.