MAS intensifies bout against cyberthreats for FIs

MAS proposed to make a slew of cybersecurity measures for financial institutions (FIs)  into legally binding requirements.

As Singapore recovers from the aftermath of its biggest data breach in history, the de-facto central bank has proposed to beef up the cyber resilience of the financial services sector in a move reflecting the city state’s proactive steps to keep up with the growing sophistication of malicious cyber agendas.

This comes as the city’s top financial regulator proposed to make a slew of cybersecurity measures for financial institutions (FIs) as laid out in the years-old MAS Technology Risk Management Guidelines (TRMG) into legally binding requirements.

“Raising these measures into legally binding requirements will require FIs to focus on and ensure that these measures are well implemented,” a MAS spokesperson told Singapore Business Review. “Setting these requirements as a mandatory baseline for FIs will help enhance the security of FIs’ systems and networks, and ensure that the Singapore financial sector continues to be cyber resilient.”

Also read: MAS warns stolen SingHealth data could be used in bank fraud

Updating the existing guidelines is a welcome development that would beef up foundational cybersecurity practices of FIs and make it harder for attackers to reach sensitive assets, explained Sid Deshpande, Research Director at Gartner.

“Legislation focusing on cybersecurity should ideally be seen as enforcing matters which organisations undertake because they are the right thing to do,” echoed Tony Jarvis, Chief Strategist, Threat Prevention APAC, Middle East & Africa at Check Point Software Technologies.

Beyond brick-and-mortar lenders, the updated guidelines acknowledge the need for oversight over non-traditional entities powered by emerging technologies. “With the introduction of FinTech, covering everything from Blockchain to cryptocurrency to virtual banks and online lending, there are now a number of entities within the FSI industry that have not been bound by traditional legislation. These are the ones that are likely to require additional changes should such measures be enacted,” Jarvis added. 

Elevating the guidelines into enforceable rules may also mean that a number of FIs may have to shell out for additional cybersecurity investments in the form of hardware and software improvements, noted Joanne Wong, Senior Regional Director for Asia Pacific & Japan at LogRhythm.

Despite the massive threat, Singapore companies have not fully fortified their defenses after a survey by LogRhythm revealed that 27% of homegrown firms spent 10% or less of their IT budget on security in 2017. This is in line with global findings that laid bare a mismatch in corporate priorities and cyberthreats as half of the global finance industry may be spending less than 1% of their revenue on cybersecurity since allocations remain focused on day-to-day operations, according to the Deloitte Cyber Risk Services CISO survey.

Investments into the people manning the fort will also have to be prioritised especially since the SingHealth investigation revealed that a database administrator failed to immediately recognise the cyberthreat days before it spiralled out of control.

“Just like other nations around the world, shortage of cybersecurity talents is a key concern for Singapore. What Singapore needs to do is to further enhance public and private collaboration in training so that we have a new generation of talent that is adept in cybersecurity and at the same time, upskill the current IT workforce,” added Wong.

Although not a laggard in cybesecurity amidst global recognition of the city state’s defense frameworks as one of the world’s most advanced, Singapore’s cyber stance could benefit from anticipating threats and beefing up basic cybersecurity practices, policies could also look into how to respond and contain threats that have already erupted.

“Where I believe we are lacking though, is the incident response side of things. While we do well in defining how to protect our FI systems, not much guidance is given on how to respond to an incident, and its left to each FI to develop their own response framework,” observed Justin Hammond, Regional Director - APAC, Customer Solutions and Support for Software Integrity Group at Synopsys.

“In this case, lessons learned from a breach at one institution might not be shared with others (such as the Singhealth incident, very little technical details were made public, so it would be hard for another healthcare provider to deploy updated countermeasures to defend against the same attack that Singhealth suffered),” he added.

Key target
Singapore’s status as a regional financial hub has long made it a prime target for malicious hackers. Days after the SingHealth breach, the Securities Investors Association reported that data on 70,000 members were stolen in 2013. In February 2017, the defense ministry disclosed a major hacking incident involving the personal data theft of 850 employees.

The industry fallout, however, could be harder on banks who have emerged as the top targets of the Tinba v3 Trojan malware campaign in 2015-2016 after accounting for a third (36%) of global attacks during the period compared to their peers in US (12%) and UK (4%), data from IBM Trusteer show.

This is because the allure of banks is not limited to their pool of monetary assets but also the amount of customer data they hold, noted Wong.

In the same vein, a key risk would come in the form of one-stop data portal, MyInfo. The state-built digital data repository platform, which automatically keys in data for bank applications, is all but lacking a red target on its back.

Bloomberg has also identified banks’ growing tendency towards commingling as another key risk as major lenders have been turning to online marketplaces with the goal of owning and growing the wealth of customer data which they could monetise, up-sell and cross-sell. “The concern with commingling is that the impact of a breach would be greater, as additional information would be available within the records stolen,” added Check Point Software Technologies’ Jarvis.

Despite the associated risk, Singapore has never been one to falter as the government and private sector work overtime to seal its defenses with intensified investments into cybersecurity.

In such show of resilience, the government resumed new Smart Nation projects after a slight pause brought about by the SingHealth cyber attack. "We should not allow such incidents to hold us back in building a Smart Nation and digital Government. We need to persist in our efforts to harness the potential of the digital age, whilst building deeper expertise in cyber security so that we can do so confidently," the government said in a statement.