On 6 August 2019, the Monetary Authority of Singapore (“MAS”) issued a set of legally binding requirements to raise the cybersecurity standards and strengthen cyber resilience of the financial sector. The Notice on Cyber Hygiene (“Notice”) sets out the measures that financial institutions (“FIs”) must take to mitigate the growing risk of cyber threats and will come into effect on 6 August 2020.
The Notice makes key requirements in the existing MAS Technology Risk Management Guidelines legally binding. Given the persistent and evolving nature of cyber threats, FIs and entities to whom the Notice applies (“relevant entities”) must implement these requirements to secure and to protect their IT systems from cyber-attacks.
Briefly, it is mandatory for FIs to comply with the following requirements:
- Establish and implement robust security for IT systems;
- Ensure updates are applied to address system security flaws in a timely manner;
- Deploy security devices to restrict unauthorised network traffic;
- Implement measures to mitigate the risk of malware infection;
- Secure the use of system accounts with special privileges to prevent unauthorised access; and
- Strengthen user authentication for critical systems as well as systems used to access customer information.
FIs have 12 months to put these measures in place before the requirements come into effect on 6 August 2020.
MAS had sought feedback from the public in September 2018 on the proposal to make this suite of cybersecurity measures into legally binding requirements. FIs generally welcomed these measures and provided some suggestions regarding implementation of the requirements. MAS issued its response to feedback received on 6 August 2019 (“Response”), together with the Notice.
Response to feedback received
The Response emphasises that it is of paramount importance that all relevant entities secure their IT systems according to the requirements set out in the Notice. Cyber-attacks present a clear and substantial threat to the financial sector. Every FI, or relevant entity, must strengthen its cyber resilience to guard against such threats. The Notice prescribes a set of fundamental cybersecurity requirements that are effective in mitigating prevalent cyber threats.
Some key comments set out by MAS in the Response are discussed here.
In the Response, MAS clarifies that the Notice is not applicable to exempt financial advisers and representatives of financial advisers and individuals who are insurance agents. MAS seeks to impose the requirements set out in the Notice at the entity level, that is, on the licensed financial adviser. Additionally, foreign-incorporated recognised market operators (RMOs), foreign-incorporated recognised clearing houses (RCHs) and licensed foreign trade repositories (LFTRs) are not targeted by the Notice as most of these entities’ activities are not performed in Singapore.
In relation to applicability of the Notice to third parties, MAS states that it views systems provided by third parties as being within the control of the relevant entity as the entity is able to impose terms and conditions in their contractual agreements with the third parties.
MAS also clarified that non-user held or non-interactive administrative accounts, such as service accounts or system accounts, used by operating systems to run services are excluded from the Notice.
Some respondents requested MAS to prescribe measures to aid the relevant entities in meeting the requirements in the Notice. MAS declines to do, explaining that as the Notice applies to relevant entities or varying size and complexity, prescribing specific measures, such as review frequency or a set of system parameters will not be practical. MAS, therefore, expects relevant entities to have in place a proper IT risk management framework to facilitate the assessment of risks and implement appropriate measures in compliance with the Notice to mitigate those risks.
Differences between Notice and TRMN
In response to queries regarding the difference between the Notice and the MAS Notice on Technology Risk Management (“TRMN”), MAS clarifies that the Notice requires relevant entities to implement a set of cybersecurity measures to protect and secure their systems from cyber-attacks. The TRMN, on the other hand, sets out requirements for FIs to maintain a high level of availability and recoverability in their critical systems, protect customer information from unauthorised access or disclosure, and to report relevant incidents to MAS. MAS has also aligned the definition of “critical systems” in the Notice with that of the TRMN.
MAS received feedback requesting the prescription of minimum standards in relation to, inter alia, securing administrative accounts and implementing security standards. MAS notes that it will share some common industry practices in an FAQ issued together with the Notice to guide relevant entities on securing administrative accounts on their systems. With regard to guidance relating to the scope and type of security standards, MAS advises that reference may be made to internationally recognised industry best practices such as Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST) when formulating security configurations standards to harden or to improve the security of a relevant entity’s systems.
The Response states that relevant entities should, as far as possible, adopt available industry security standards to govern the configuration of devices deployed in their organisation. Where there are no industry standards available for certain types of devices, relevant entities could identify the security principles and objectives applicable to those devices after due study of the devices’ settings and configurations.
In light of feedback received during the public consultation, MAS has substituted the term “anti-virus” with “malware protection” as the latter is a broader term which includes all types of malicious software and better reflects the MAS’ intentions. MAS states in the Response that prior to implementing malware protection measures, relevant entities should perform their own risk assessment to determine if other measures are required to enhance their capabilities to mitigate the threat of malware infection of their systems.
Feedback was provided that the definition of confidential information in the Notice was too wide and could include almost all information within the organisation including information held by third parties but belonging to the organisation. MAS has clarified that it will only require relevant entities to protect customer information. Customer information has been defined in the Notice to mean any information relating to, or any particulars of, any customer of the relevant entity where a named customer or group of named customers can be identified, or is capable of being identified, from such information.
The Notice requires relevant entities to introduce multi-factor authentication (“MFA”) for accessing administrative accounts on critical systems, regardless of the access channel (that is, leased line or VPN). For accessing customer information over the Internet, MAS indicates that relevant entities should determine how to implement MFA (for example, at the VPN server or at the application to authenticate users).
Effective date of the Notice
MAS received feedback suggesting that the 12-month time frame for implementation of the provisions of the Notice was insufficient. The Response states that MAS is of the view that the requirements in the Notice are not new and relevant entities should have already have these fundamental cybersecurity measures in place. The 12-month minimum period for relevant entities to comply with the Notice is therefore adequate to achieve compliance. The MFA implementation requirement must be complied with by 5 February 2021, subject to the fulfilment of specific conditions set out in the Notice.
MAS will assess extent of compliance with the Notice during the course of its supervision of the entities. The relevant entity will have to demonstrate extenuating circumstances for non-compliance within the timeframe specified.