04 November, 2015
The Monetary Authority of Singapore (“MAS”) has recently issued two circulars to Financial Institutions (“FI”) supervised by MAS focusing on cyber security related issues. The first circular concerned technical and internal control processes FIs should implement to detect early any cyber intrusions, while the second outlined the expectation of MAS that FIs should put in place technology risk and cyber security training programmes for Board members and senior management.
The MAS circulars are further evidence of the increasing focus of regulators across sectors in the region on cyber security for organisations and on the responsibility of boards and senior management for oversight of this business critical area.
Early Detection of Cyber Intrusions
The first circular, released on 24 August 2015, noted that FIs are increasingly being targetted by hackers with increasingly sophisticated techniques. As a result, FIs need to have strong cyber resilience and implement robust capabilities to detect any cyber intrusions.
Even though not all successful attacks can be prevented, the speed at which an FI detects and responds to an intrusion becomes crucial. In order to do so, FIs need to maintain a keen sense of situational awareness, and this can be done by continuous enhancement of their technical internal control processes to monitor and detect network intrusions (where internal and external networks may be infiltrated), for example putting in place decoys, sensors and/or other appropriate capabilities to detect anomalous traffic across systems within internal networks. FIs should also put in place mechanisms to monitor, detect and prevent systems, servers, network devices and endpoints intrusions.
In the event of a successful cyber breach, FIs should perform a thorough investigation to determine the extent of the infiltration, any damage caused, and the vulnerabilities that were exploited by the infiltrator. This should form part of the FI’s capabilities to detect cyber intrusions, and FIs are to continually evolve and improve their ability to anticipate, withstand, detect and respond to cyber attacks. FIs should perform regular gap analyses and risk assessments to determine whether their controls remain holistic and adequate, and response and recovery plans remain effective. Importantly, FIs should also put in place a roadmap to address any gaps that are found.
Technology Risk and Cyber Security Training for Board
The second circular, released on 9 October 2015, again noted that the risk and potential impact of cyber attacks have increased. This circular made it clear that an FI’s Board of Directors and senior management are responsible for the oversight of technology risks and cyber security. Particular responsibilities include endorsing the FI’s IT strategy and risk tolerance and ensuring that an appropriate accountability structure and organisational risk culture around cyber security is in place in the FI.
The circular also outlined MAS’ expectation that the Board of Directors should be regularly apprised on salient technology and cyber risk development. To that end, a comprehensive technology risk and cyber security training programme for the Board should be implemented, with the ultimate goal being to equip the Board to competently exercise its oversight function. One suggestion raised by the MAS was periodic briefings conducted by cyber security professionals.
What should your organisation be doing in response to the circulars?
Financial institutions in particular should ensure organisational cyber security readiness by:
- dealing with cyber security as an organisational, and not just an IT, issue;
- putting in place processes to monitor, detect and ultimately prevent intrusions of networks and systems, servers, network devices and endpoints, and systems to continuously enhance technical and administrative controls;
- embedding a culture of cyber security awareness and maintaining cyber security awareness by implementing comprehensive technology risk and cyber security training programs for all staff, in particular for senior management and the board of directors;
- implementing robust cyber security response and recovery plans consistent with regulatory requirements which are regularly tested and reviewed to keep ahead of evolving threats, amongst a comprehensive suite of standards, policies and procedures relating to cyber security;
- conducting a thorough investigation in the event of any cyber breaches to determine the extent of the infiltration, any damage caused, and the vulnerabilities that were exploited;
- considering other preventative and protective measures, including how the business engages with third party service providers and the possibility of cyber insurance; and
- liaising with industry and government advisory bodies, such as the Singapore Cyber Security Agency.
For further information, please contact:
Mark Robinson, Partner, Herbert Smith Freehills
mark.robinson@hsf.com
