13 November, 2018
The Monetary Authority of Singapore (MAS) released a consultation paper on 6 September 2018 proposing a new Notice On Cyber Hygiene (Notice), which will set out cybersecurity measures (outlined below) for prescribed financial institutions regulated by the MAS (FIs). The notice seeks to outline a "clear and common cybersecurity waterline for the financial industry."
Most of these FIs are already subject to an existing Notice on Technology Risk Management (TRM Notice) and Technology Risk Management Guidelines, among others, which imposes obligations in relation to managing technology risks. This proposed notice goes further to impose more prescriptive legally binding obligations in relation to cybersecurity measures.
Will this affect you?
The MAS proposes to apply this notice not just to entities licensed, approved, registered or regulated by MAS but also to some other entities that MAS will be regulating in the future. As an example, the MAS specifically referenced persons who will be licensed under the proposed Payment Services Bill, including for account issuance, domestic money transfer, merchant acquisition and virtual currency services.
Notably, this notice will apply to a broader scope of FIs than the TRM Notice currently applies to, e.g., stored value facility holders and registered fund management companies. This means that even if these FIs are not currently expected to assess and identify which of its systems are critical systems, they may be required to do so in order to comply with certain requirements under this notice.
Where FIs have outsourcing arrangements relating to their IT systems, these FIs may seek to impose these standards on their outsourced service providers as well.
How will this affect you?
The notice sets out the following non-exhaustive list of proposed cyber hygiene measures:
Cyber Hygiene Requirements | Proposed Cyber Hygiene Measures |
Secure administrative accounts to prevent unauthorized access or use |
|
Timely application of security patches to be address vulnerabilities |
|
Written security standards |
|
Implement firewalls |
|
Implement anti-virus measures |
|
Implement multi-factor authentication |
|
MAS accepts that differences in the scale, complexity and nature of business of different FIs, may result in implementation differences between the various FIs.
Most FIs are likely to have IT security policies or procedures in place which may already cover some or all of these matters.
They should review existing policies to confirm that their standards are in line with the MAS' expectations as outlined in the proposed notice. They should also ensure that they are indeed carrying out ongoing validation checks or audits to confirm that these prescribed standards are met on an ongoing basis.
Implementation Timeline
MAS has proposed that the notice would be effective 12 months from its date of issuance.
MAS is seeking public feedback on the proposed notice. The consultation period will end on 5 October 2018.
For further information, please contact:
Stephanie Magnus, Principal, Baker & McKenzie.Wong & Leow
stephanie.magnus@bakermckenzie.com