What the MAS' Cyber Hygiene Circular Means for Singapore-Based Financial Firms
On 6th August 2019, The Monetary Authority of Singapore (MAS) issued a set of legally binding requirements to raise the cybersecurity standards and strengthen cyber resilience of the financial sector. The notice on cyber hygiene sets out the measure financial institutions must take to mitigate the growing risk of cyber threats, by 6h August 2020.
With the MAS' deadline coming up for Singapore-based firms to have their cyber hygiene in check, today’s blog article will explore the compulsory cybersecurity standards and requirements announced by the authority last year. With technology guidelines on adhering to these in the most effective and secure manner.
As per the notice, it is mandatory for all financial institutions in Singapore to comply with the following requirements:
All relevant entities must ensure that every administrative account in respect of any operating system, database, application, security appliance or network device, is secured to prevent any unauthorised access to or use of such account.
Financial firms can employ the principle of least privilege to all systems and data, so that access is limited to only those individuals in the firm that need it to perform their roles.
Some good practices to heighten security are outlined below:
Deploying access control lists on all applications and data
Creating inbound/outbound internet access control lists
Use of audited OTPs (one-time passwords) and minimum privilege shared accounts for access to networks is recommended
Firms are asked to ensure that security patches are applied to address vulnerabilities to every system and for these to be applied to each system. Patch management is an important element in maintaining system security and availability. There are three general categories of patches, which include the following:
Security Patches. These are created to eliminate any security gaps. Generally, these patches are rolled out or made available at short notice. Based on the urgency of the security patch, these patches may need to be implemented as quickly as possible, and often require to be implemented in an emergency maintenance window.
Bug Patches. These are created to eliminate any functional restrictions discovered and are tested with regard to their impact on operations. Depending on the impact or potential impact of the identified bug(s), firms will need to implement bug patches quickly to address reliability or performance issues. Thus often requiring short notice maintenance windows.
Service Packs/ Version Upgrades. The implementation of patches to improve and expand functional scope is recommended. They should be tested with regard to their impact on operations and rolled out or made available. Service packs/version upgrades should only be installed during maintenance windows scheduled well in advance.
All firms are required to have a written set of security standards for every system, and to ensure that these are always conformed to. Investment firms should look to conduct risk assessments on an annual basis in order to identify potential risks and establish a means to mitigate them through the implementation of control mechanisms. Regular vulnerability assessments are also advised to continuously measure the level of risks a firm is exposed to, and to implement the correct defence practices to mitigate these.
Network Perimeter Defence
The circular asks that financial firms implement adequate controls to restrict all unauthorised network traffic. The use of next generation firewalls is recommended as an effective network perimeter defence. Take a look at this article to learn the difference between traditional and next generation firewalls in depth.
Financial firms must ensure that one or more malware protection measures are implemented on every system to mitigate the risk of malware infection, where such malware protection measures are available and can be implemented.
To adhere to this requirement and to ensure complete security against outside intruder threats, investment firms are strongly urged to consider the following layers of security:
Network intrusion detection and prevention systems
Hardware and software firewalls
Encryption and application filters
Targeted attack protection (TAP)
Multi-Factor Authentication (MFA)
Lastly, the circular requires all relevant firms to ensure multi-factor authentication is implemented for all administrative accounts, as well as those with access to any classified or sensitive data. Investment firms that do not already have MFA in place are advised implement two-factor authentication as a minimum for any application or company asset being accessed remotely, to ensure complete security. Have a read of this article to get to grips with MFA.