SINGAPORE – All financial services and fintech companies in Singapore should, from Monday (Jan 18), observe a brand new set of central banking guidelines to mitigate cyber threats in the wake of a recent cyber attack which impacted organizations around the globe.
The Monetary Authority of Singapore (MAS) now requires all financial establishments to evaluate the suppliers of their technology vendors.
In a typical evaluation, suppliers could also be requested to show that their software source code is rigorously tested and they don’t use unsafe programming practices. Suppliers might also be requested to disclose their safety measures and the way they monitor and manage cyber risks.
The up to date guidelines apply to all banks, payment processors like GrabPay and Singtel Dash, and also brokerage and insurance providers.
Mr Vincent Loy, assistant managing director of technology at MAS, said that using an external vendor which may in turn procure third-party solutions brings critical risks to banking sector.
“Unknown third-party suppliers are what MAS is most worried about… Financial institutions that do not allocate sufficient financial resources may be more open to unknown third-party suppliers,” he stated.
The hacking of Texas-based SolarWinds, a number one supplier of IT management software, had subjected thousands of corporations and government entities around the globe to risks.
SolarWinds’ IT management tools are common parts within the products of many giant vendors including Microsoft, FireEye and Cisco Systems.
Mr Tan Yeow Seng, the MAS chief cyber security officer, stated financial sector is more and more reliant on third-party service suppliers as they adopt new technologies.
“The revised guidelines set out MAS’ higher expectations in the areas of technology risk governance and security controls in financial institutions,” he added.
An evaluation of third-party suppliers was previously not required under the MAS Technology Risk Management (TRM) guidelines, though due diligence on technology vendors was a must.
The screening of component suppliers is now clearly spelt out within the revised TRM guidelines, which cover a variety of topics to assist firms fob off and recover from cyber assaults and system failures.
Risks from using open application programming interface (API), a code that lets different applications communicate to another, are also addressed within the newly updated TRM guidelines.
Banks have used APIs to automatically share foreign exchange rates, for instance. This has allowed many external developers to build forex conversion apps utilizing the data.
Under the revised TRM guidelines, financial services firms should vet entities that access their APIs by looking at the nature of their business, cyber security posture, business reputation and track record.
They should additionally secure the development of the APIs and encrypt delicate data transmitted to prevent leaks or hackers injecting malicious codes in the APIs.
In another key change to the TRM guidelines, the board of directors and senior management in financial establishments should vet and approve key technology and cyber-security personnel.
“Organizations that do not have a good cyber-security posture usually do not have board and senior management oversight for IT functions and key appointments,” stated Mr Loy, citing findings of the central bank’s own audits.
Last revised in 2013, the TRM guidelines have been updated at a time of increased information sharing that underpins the sector’s digital transformation.
The revision took in suggestions from a public consultation in 2019 and different expert engagements.
The guidelines elaborate on the obligatory requirements set out within the MAS TRM notice, first issued in 2013 and which carries a fine of up to 100,000 SGD ($75.220) for non-compliance under the Banking Act.
In the case of a continuing offence, an additional fine of up to 10,000 SGD ($7.522) daily could also be levied.