Cyber rules set for Singapore finance firms

Out-Law News | 07 Aug 2019 | 12:08 pm | 2 min. read

Businesses operating in Singapore's financial services industry face new "legally binding requirements" on cybersecurity, after the city state's central bank took action to address what it described as the growing cyber threat facing the sector.

The Monetary Authority of Singapore (MAS) confirmed that it had decided to upgrade the status of six existing standards contained in technology risk management guidelines to formal regulatory requirements from 6 August 2020.

The new requirements are broad in nature with MAS explaining that the precise measures each institution must implement will vary depending on their size and complexity and the risks they face. This risk-based approach was confirmed in the response it has published to the feedback it received on its earlier consultation on the reforms, which also provides further details of the type of steps institutions can take to meet their new obligations.

The high-level requirements are that financial institutions establish and implement robust security for IT systems; ensure updates are applied to address system security flaws in a timely manner; deploy security devices to restrict unauthorised network traffic; implement measures to mitigate the risk of malware infection; secure the use of system accounts with special privileges to prevent unauthorised access; and strengthen user authentication for critical systems as well as systems used to access customer information.

"Relevant entities are expected to have in place a proper IT risk management framework to facilitate the assessment of risks, and they must implement the appropriate measures to mitigate those risks to comply," MAS said.

MAS confirmed that institutions will be responsible for ensuring systems provided by third parties via outsourcing arrangements, as well as the systems they operate themselves, comply with the new requirements.

It has also confirmed that the businesses licensed to provide payment services under the country's new Payment Services Act, finalised earlier this year but yet to come into force, will be subject to the new cybersecurity requirements.

Bryan Tan, technology law expert at Pinsent Masons MPillay, the Singapore joint law venture between MPillay and Pinsent Masons, the law firm behind Out-Law, said: "This makes it clear that cyber compliance is now no longer optional or nice to have – and all classes of MAS licensees including the new license classes under the payment services regime will need to ensure that they have the resources to meet these standards."

Though the new cybersecurity requirements are due to take effect on 6 August 2020, MAS has confirmed that institutions could be given up to 5 February 2021 to comply with the specific requirements on multi-factor authentication and that in certain "extenuating circumstances" businesses could be given time beyond the 6 August compliance deadline to comply with the other requirements too.

The new requirements are designed to "raise the cyber security standards and strengthen cyber resilience of the financial sector", MAS said.

Tan Yeow Seng, chief cybersecurity officer at MAS, said: "Cyber threats in the financial sector are growing as a result of an increased digital footprint and pervasive use of the internet. The financial sector needs to remain vigilant and ensure that defences are able to counter varied and evolving threats. Good cyber hygiene can go a long way in protecting financial institutions from common types of cyber incursions. These fundamental and essential measures can be implemented by all financial institutions regardless of size or system complexity."