MAS proposes legal binding measures for enhancing cyber security of financial institutions

The measures are part of existing MAS Technology Risk Management Guidelines. They are aimed at enhancing the security of financial institutions’ systems and networks and reducing the risk of unauthorised system use.

These measures were originally proposed as a baseline standard for cybersecurity that financial institutions could choose to adopt. In view of the increase in cybersecurity breaches recently, MAS is now proposing to elevate them into legally binding requirements.

The six measures are:

• addressing system security flaws in a timely manner
• establishing and implementing robust security for systems
• deploying security devices to secure system connections
• installing anti-virus software to mitigate the risk of malware infection
• restricting the use of system administrator accounts that can modify system configurations, and
• strengthening user authentication for system administrator accounts on critical systems.

Technology law expert Bryan Tan of Pinsent Masons MPillay, the Singapore joint law venture between MPillay and Pinsent Masons, the law firm behind Out-Law.com, said, "The TRM guidelines originate from 2001 with the last update in 2014 consolidating various portions and hardening incident notification procedures".

"This latest round of proposals entrenches specific practices for all financial institutions without exception and clearly ups the game in the battle to ensure the industry’s cyber-security. The regulator is clearly not leaving any stone unturned," Tan said.

The public consultation will run from 6 September to 5 October 2018.