Singapore is looking to introduce changes to existing guidelines on technology risk and business continuity management that will require financial organisations to implement more measures to boost their operational resilience. These aim to better prepare them for a physical and cybersecurity threat landscape that is rapidly changing, according to industry regulator Monetary Authority of Singapore (MAS).
The proposed changes would be made to the Technology Risk Management (TRM) and Business Continuity Management (BCM) guidelines that were first established in 2013 and 2003, respectively, to put in place security practices and controls to address technology risks as well as organisational response and recovery process to minimise impact of business disruptions.
MAS said on Thursday the changes included guidance on cyber surveillance, secure software development, and the management of security risks brought about by the Internet of Things (IoT). They also aimed to boost the development of business continuity plans to better account for interdependencies across business units within the financial institution and connections with external service providers, the authority said.
Banks and financial institutions, for example, increasingly were investing in emerging technologies such as APIs (application programming interfaces), smart electronic devices, and virtualisation, to improve service delivery and efficiency. If these were not implemented and managed properly, they might increase the cyber attack surface, MAS noted, adding that the new guidelines looked to manage such risks.
The proposed changes also would require financial institutions to conduct business continuity management audits through a unit independent of staff involved in the planning and execution of such plans, with internal audits being an example.
MAS's chief cybersecurity officer Tan Yeow Seng said: "A cyber attack can result in a prolonged disruption of business activities. Threats are constantly present and evolving in sophistication. We cannot afford to be complacent. Financial institutions must, therefore, remain vigilant and have in place effective technology risk management practices and robust business continuity plans to ensure prompt and effective response and recovery."
In a separate announcement, MAS also unveiled plans to form a new technology group that encompass a data analytics group, information technology department, and technology and cyber risk supervision department.
The move was made to focus the authority's technology capabilities under one group and drive its digital transformation. It will support a more integrated approach to providing technology applications and systems as well as improve the management of evolving technology risks in the financial industry, MAS said.
The Singaporean government in January also formed a committee and released guidelines to beef up cybersecurity protection and capabilities in the telecommunications industry, including implementation best practices for IoT systems and electronic Know Your Customer (eKYC) technology that allow mobile operators to digitally authenticate service registrations. A "multi-year roadmap" is being planned to identify cyber threats and develop the capabilities and products needed to strengthen the country's connectivity infrastructure.
Originally scheduled to come into effect at the end of January, e-payment user protection guidelines will now be rolled out on June 30, after industry regulator Monetary Authority of Singapore agrees to give local banks more time to implement the necessary support systems.
Monetary Authority of Singapore is dishing out S$30 million (US$21.88 million) in a new grant to help local financial institutions boost their cybersecurity operations and skillsets, funding up to half of such expenses.
Industry regulator has set up a committee comprising government officials and industry experts to establish a "multi-year roadmap" that aims to identify cyber threats and develop capabilities and tools needed to better secure Singapore's telecommunications sector, including IoT deployments.
Majority of consumers in Asia-Pacific already own at least one Internet of Things (IoT) device and plan to buy more, but 81 percent fear their personal data is being leaked and 71 percent worry about being monitored without their consent.
Investigation into the July 2018 incident reveals tardiness in raising the alarm, use of weak administrative passwords, and an unpatched workstation that enabled hackers to breach the system as early as August last year.