Singapore: Monetary Authority Of Singapore Panel Urges Financial Institutions To Adopt Cybersecurity Measures

An international cybersecurity advisory panel formed by the Monetary Authority of Singapore (MAS) has recommended that all financial institutions in Singapore ensure that data stored on the public cloud is kept secure, and that they perform cybersecurity risk assessments on their third-party providers.

These proposals were raised at the panel's second annual meeting, after its members had met with representatives from the Standing Committee on Cyber Security from the Association of Banks in Singapore, Life Insurance Association Singapore and General Insurance Association of Singapore.

The panel also noted that there had been an increase in use by financial institutions of application programming interfaces (APIs) to build software and applications. As use of such APIs could pose a greater risk of cyber threats, the panel suggested specific ways in which the institutions should combat such risk; for instance:

• conducting "red-teaming" cyberattack simulations
• securing network connections with any third party providers
• monitoring for any suspicious cyber activity.

Comment

Cyber risk should be a top priority for all financial institutions, particularly as they continue to digitalize. It is expected that existing regulations on technology risk management and guidelines on outsourcing by banks in Singapore will also soon be reviewed as mandatory breach reporting is introduced under Singapore's data protection legislation. It would therefore be an opportune time for financial institutions with operations in Singapore to consider updating their cybersecurity policies to incorporate the MAS panel's recommendations as above, as well as to run a mock exercise to test their resiliency in the event of a cyberattack. Financial institutions should also consider retaining external counsel to advise on any third-party agreements that they may enter into, to ensure that the institutions have all the necessary and appropriate warranties, audit rights and contractual indemnities in case of relevant cyber incidents.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.