From 6 August 2020, Financial Institutions (FIs) must comply with a new set of requirements to raise the cyber security standards and strengthen cyber resilience of the financial sector.
These mandatory elements in the existing MAS Technology Risk Management (TRM) Guidelines include:
Establishing and implementing robust security for IT systems
Ensuring updates are applied to address system security flaws in a timely manner
Deploying security devices to restrict unauthorized network traffic
Implementing measures to mitigate the risk of malware infection
Securing the use of system accounts with special privileges to prevent unauthorized access
Strengthening user authentication for critical systems as well as systems used to access customer information
A concession is made for a period of 6 months from 6 August 2020 to 5 February 2021 (both dates inclusive) on implementation of multi-factor authentication if FIs meet all the following:
- Risk assessment - Identify all risks or potential risks posed by FIs’ non-compliance to implement multi-factor authentication
- Controls - Implement controls to reduce risks identified above
- Appoint a committee or member of the senior management – They must agree with the risk assessment and find the implemented controls being adequate to reduce the risks
The TRM guidelines are a set of best practices that provide financial institutions with guidance on the oversight of technology risk management, security practices and controls to address technology risks. MAS expects FIs to observe the guidelines as this is taken into account in MAS’ risk assessment of the FIs.
Penalties and repercussions of non-compliance
In case of non-compliance with the MAS TRM guidelines, the FI can have penalties and repercussions in various forms which will include:
- Reputational damage by being blacklisted or highlighted as an institution that does not comply with cyber security policies
- Penalties in the form of fines of varying degree for not meeting the various requirements provided by the guidelines
- Cancellation of license to conduct businesses activities and/or operate in Singapore
How can FIs prepare?
For a start, all FIs irrespective of system complexity should conduct a CYBER SECURITY RISK HEALTH CHECK.
Review your IT security practices and response capabilities to deal with unexpected cyber threats or events now!
About Stone Forest IT
Stone Forest IT has over 30 years of experience supporting mid-tier FIs. Our domain experts help FIs achieve a secure and vigilant organisation through practical solutions that integrate people, data, processes and technology within the cyber defence framework that builds cyber resilience and regulatory compliance.