Boards advised set cyber risk culture in financial services

Out-Law News | 07 Oct 2019 | 9:03 am | 1 min. read

Boardroom directors should set the cyber risk culture within financial services companies, a panel of experts that keeps Singapore's central bank updated on cybersecurity issues has said.

The Cyber Security Advisory Panel (CSAP) to the Monetary Authority of Singapore (MAS) said that cyber risk culture needs strengthened in the financial services sector.

"Poor risk culture was often cited as a contributing factor during cyber incidents," MAS said in summarising a recent meeting of CSAP. "The meeting discussed ways to strengthen cyber risk culture. CSAP members highlighted that the board and senior management of financial institutions should set clear expectations for cyber risk culture and monitor and assess how well the desired risk management culture is operating across the organisation."

Technology law specialist Bryan Tan of Pinsent Masons MPillay, the Singapore joint venture partner of Pinsent Masons, the law firm behind Out-Law, said: "Given the importance of cyber risks, the board and senior management can not afford to ignore cyber issues. It is a given that any crisis management team should have the involvement of the top business leaders given its responsibility to manage a crisis to the business."

At its meeting, the CSAP experts said cyber monitoring and surveillance could also be improved within the financial services sector, and urged MAS to work with industry to help with this and to "deepen cyber intelligence-sharing networks with both global and local partners".

Financial services institutions were also warned by CSAP about the growing cyber risk they are facing through weaknesses in their supply chain.

"IT supply chains were increasingly being targeted and exploited by cyber criminals," MAS said. "CSAP members recommended that financial institutions should have in place an effective multi-layered defence with measures, such as source code reviews, system integrity checks, and network anomaly detection, to mitigate these risks."

Seven members of CSAP met on 30 September. David Koh, chief executive of the Cyber Security Agency of Singapore, was joined for the meeting by senior representatives from Microsoft, PayPal, Amazon Web Services, Standard Chartered, JP Morgan Chase and Fox-IT.

The advice from CSAP was published by MAS during Singapore International Cyber Week, during which the Cyber Security Agency of Singapore also outlined a new operational technology cybersecurity masterplan. The plan is designed to "enhance the security and resilience of Singapore’s critical information infrastructure sectors in delivering essential services".