27 September 2018
The Monetary Authority of Singapore (“MAS”) has issued a consultation paper on a proposed “Notice on Cyber Hygiene” (“Notice”) which prescribes a set of essential cyber security practices that financial institutions (“FIs”) must put in place to manage cyber threats. These practices seek to enhance the security of FIs’ systems and networks and mitigate the risk of unauthorised use of system accounts with extensive access privileges. The proper implementation of these practices will be effective against a wide range of cyber attacks. The consultation closes on 5 October 2018.
Although already part of the existing MAS Technology Risk Management Guidelines, MAS proposes to stipulate these measures as a baseline hygiene standard for cyber security by elevating them into legally binding requirements.
The Notice will take effect 12 months from date of issuance by MAS.
FIs will be required to implement six cyber security measures:
- address system security flaws in a timely manner
- establish and implement robust security for systems
- deploy security devices to secure system connections
- install anti-virus software to mitigate the risk of malware infection
- restrict the use of system administrator accounts that can modify system configurations
- strengthen user authentication for system administrator accounts on critical systems
The Notice will require FIs to comply with requirements relating to administrative accounts, security patches, security standards, firewalls, anti-virus and multi-factor authentication. To guide FIs in their implementation of these requirements, MAS has provided in the consultation paper a non-exhaustive list of measures that FIs can implement.
An FI must secure every administrative account on its system to prevent any unauthorised access to or use of, such account. To meet this requirement, FIs may:
- keep a record of all administrative accounts in its system;
- implement strong password controls such as changing the default password, enforcing minimum password length and password complexity;
- grant access to administrative accounts only to authorised staff;
- regularly validate that only authorised persons have access to administrative accounts.
An FI must apply security patches to address vulnerabilities to its system, within a timeframe that is commensurate with the risks posed by such vulnerabilities being exploited to the FI. If no security patch is available to address a vulnerability, the FI must institute controls to reduce any risk posed by such vulnerability to its system.
To meet these requirements, FIs may perform regular checks for available security patches and establish a framework to assess the criticality of any available patch and the timeframe within which the patch must be implemented. The framework should include controls to reduce any risk in the event a patch cannot be applied.
The Notice requires an FI to have a written set of security standards for its system and ensure its system conforms to the set of security standards. Where the system is unable to conform to the set of security standards, the FI must institute controls to reduce any risk posed by such non-conformity. To meet these requirements, an FI may:
- establish, document and keep up-to-date security standards;
- ensure every system complies with the security standards established by the FI;
- take steps to reduce any risk, including approving deviations from the security standards, if the system cannot fully conform to the security standards.
An FI must implement one or more firewalls at its network perimeter to restrict all unauthorised network traffic. To implement this requirement, FIs may:
- implement one or more firewalls at the network perimeter in order to segment the internal network from the public Internet;
- configure any implemented firewalls and regularly review the firewall rules to only allow authorised network traffic to pass through.
To mitigate the risk of malware infection on its system, FIs must implement one or more anti-virus measures, e.g. updating any anti-virus software and signatures promptly.
An FI must implement multi-factor authentication for all administrative accounts on its critical system (e.g. an administrative account of an operating system on any critical system), and all accounts on any system used by the FI to access confidential information through the Internet (e.g. an account belonging to the human resource department that can be used to remotely access staff information through the Internet).
The following materials are available on the MAS website www.mas.gov.sg:
- Media release
- Consultation Paper on Notice on Cyber Hygiene
- Template for Response to Consultation Paper on Notice on Cyber Hygiene