The regulator has set out mandatory requirements to govern the way in which banks and other financial institutions must act to foil cyber-security attacks.

Singapore’s principal financial regulator has set out the standards for banks, wealth managers and other sector players to follow as part of a crackdown on cyber-security attacks that continue to claim victims. Financial firms have 12 months in which to adopt the measures.

The Monetary Authority of Singapore has set out a notice on “cyber hygiene” requiring firms to enforce “robust security” for technology systems; tackle flaws in a timely manner; deploy security devices to restrict unauthorised traffic; take steps to mitigate risks of malware; secure system accounts with special privileges to prevent unauthorised access, and strengthen user authentication. 

Cyber-security attacks on financial institutions remain a major problem. A few days ago, US credit card firm Capital One suffered a massive breach, with about 100 million people affected. Singapore, which has sought to position itself as a tech-savvy jurisdiction, embracing digital banking and modern ideas, would have much to lose if its systems were to be taken down by hackers. Among organisations in the city-state that have been hit are The National University of Singapore and Nanyang Technological University (hit in 2018), reportedly by Iranian hackers. 

The MAS measures must be put in place by 6 August 2020. 

“Cyber threats in the financial sector are growing as a result of an increased digital footprint and pervasive use of the Internet. The financial sector needs to remain vigilant and ensure that defences are able to counter varied and evolving threats,” Tan Yeow Seng, chief cyber-security officer, MAS, said. “Good cyber hygiene can go a long way in protecting financial institutions from common types of cyber incursions. These fundamental and essential measures can be implemented by all financial institutions regardless of size or system complexity.”

MAS sought feedback from the public in September 2018 on the proposal before making this suite of cyber-security measures into legally binding requirements.