Don't Forget to Share this Post

The Financial Sector’s Guide to Complying with the MAS’ Cyber Hygiene Notice + Webinar Replay

By Amisha Shah | Thursday, July 23rd, 2020

Last summer, The Monetary Authority of Singapore (MAS) issued a set of legally binding requirements to raise the cybersecurity standards and cyber resiliency of the financial sector.

Following a spate of data breaches globally, including personal data of 1.5 million SingHealth patients being stolen in 2019, the MAS is the first financial authority in the world to mandate cyber hygiene. To avoid future occurrence of such breaches, all Singapore-based firms must follow the cyber hygiene rules enforced in the notice and have associated security practices in effect by Thursday, 6th August 2020.

As we near this deadline, cyber and technology experts from Eze Castle Integration shared tips to help financial firms ensure compliance with the cyber hygiene circular, in a recent webinar. Today’s blog will summarise key takeaways from the webinar, pertaining to each requirement listed in the circular. The full, 34-minute replay video can also be watched below to listen in on the full discussion.

Implementation of Administrative Accounts and Security Patches

The use of administrative accounts and security patches are outlined as mandatory in the MAS’ circular. Eze Castle Integration advises all clients globally to implement these for added measures of control and security of their assets, confidential data and brand reputation. Below are considerations for implementing both layers effectively:

Administrative Accounts – a principle of least privilege to all systems and data is recommended so that access is strictly limited to those who require it within the business. Restrictions should include the following:

  • Access control lists on all applications and data

  • Inbound/outbound internet access control lists

  • Use of audited OTPS (one-time passwords) and minimum privilege shared accounts for access to client networks


Security Patches – there are three general categories of patches that are advised to be scheduled on a regular basis. These include:

  • Security patches

  • Bug patches

  • Service packs/version updates

Setting New Security Standards and Network Perimeter Defences

Security standards are important to understanding the risks associated with each system your business uses. Hence, firms are advised to create appropriate policies, including but not limited to the following:

  • Written Information and Security Policy

  • Incident Response Plan

  • Business Continuity Plan


Furthermore, these policies should be reviewed where necessary with audits and annual testing. The certifications and methods listed below are good practices, and will help your firm practice good cyber hygiene – in line with the circular:

  • SOC2, ISO, or ISAE framework/audits

  • Penetration/Vulnerability Testing

  • Risk Reviews


Network perimeter defences are vital to monitoring and restricting unauthorised traffic, therefore, as outlined in the circular, firms must carefully consider how they are going to implement this. At Eze Castle Integration, our experts advise the following approach:

Tips for Good Password Hygiene

Weak passwords are the gateway to a firm’s assets and confidential data. Therefore, the importance of password hygiene cannot be stressed enough. Firms are advised to promote a culture of password security at all levels and remind employees regularly to reset passwords to protect themselves and the organisation from the malicious intentions of cyber criminals.

Here are some factors that make a strong password:

  • Length: keep the password complex 

  • Strength: avoid using personal information 

  • Diversity: make sure your passwords vary across different platforms

  • Frequency: change your passwords every three months 


Check out our dedicated article on password security linked here for more tips!

Successfully Deploying Malware Protection and Multi-Factor Authentication (MFA)

Lastly, the circular highlights the importance of deploying malware protection and multi-factor authentication (MFA) to prevent security breaches and attacks. Our experts shared considerations for successfully deploying both of these layers of defence, as listed below.

Suggested layers of malware protection:

  • Anti-virus software

  • Hardware and software firewalls

  • Encryption and application filters

  • Mobile device management

  • Intrusion detection and prevention

  • Web filtering

  • Targeted attack prevention and email encryption


When it comes to successfully deploying MFA, commonly used and proven authentication factors are:

  • Knowledge based

  • Possession based

  • Inherence based

  • Location based


Furthermore, the following secure authentication practices are also advised:

  • Assign unique domain user IDs to each employee

  • Enforce domain account passwords to ensure they are in a location and/or format that does not compromise the security of the data they protect


The article linked here provides more insight into cybersecurity best practices and MFA!

Last summer, The Monetary Authority of Singapore (MAS) issued a set of legally binding requirements to raise the cybersecurity standards cyber resiliency of the financial sector.

Following on from a spate of data breaches globally and the personal data of 1.5 million SingHealth patients and outpatient prescription information of 160,000 people being stolen in 2019, the MAS is the first financial authority in the world to mandate cyber hygiene. To avoid future occurrence of such breaches, all Singapore-based firms must follow the cyber hygiene rules enforced in the notice and have associated security practices in effect by Thursday, 6th August 2020.

As we near this deadline, cyber and technology experts from Eze Castle Integration shared tips to help financial firms to ensure compliance with the cyber hygiene circular, in a recent webinar. 
Today’s blog will summarise key takeaways from the webinar, pertaining to each cybersecurity requirement listed in the circular. The full, 34-minute replay video can also be watched below to listen in on the full discussion.

Implementation of Administrative Accounts and Security Patches
The use of administrative accounts and security patches are outlined as mandatory in the MAS’ circular. Eze Castle Integration advises all clients globally to implement these for added measures of control and security of their assets, confidential data and brand reputation. Below are considerations for implementing both layers effectively:
Administrative Accounts – a principle of least privilege to all systems and data is recommended so that access is strictly limited to those who require it within the business. 
Restrictions should include the following:
•    Access control lists on all applications and data
•    Inbound/outbound internet access control lists
•    Use of audited OTPS (one-time passwords) and minimum privilege shared accounts for access to client networks

Security Patches – there are three general categories of patches that are advised to be scheduled on a regular basis. These include:
•    Security patches
•    Bug patches
•    Service packs/version updates

Setting New Security Standards and Network Perimeter Defences
Security standards are important to understanding the risks associated with each of the systems your business uses. Hence, firms are advised to create appropriate policies, including but not limited to the following:
•    Written Information and Security Policy
•    Incident Response Plan
•    Business Continuity Plan

Furthermore, these policies should be reviewed where necessary with audits and annual testing. The certifications and methods listed below are good practices, and will help your firm practice good cyber hygiene – in line with the circular:
•    SOC2, ISO, or ISAE framework/audits
•    Penetration/Vulnerability Testing
•    Risk Reviews

Network perimeter defences are vital to monitoring and restricting unauthorised traffic, therefore, as outlined in the circular, firms must carefully consider how they are going to implement this. At Eze Castle Integration, our experts advise the following approach:
•    Next generation firewall
•    Intrusion protection systems
•    Intrusion detection systems
•    Log management

Tips for Good Password Hygiene
Weak passwords are the gateway to a firm’s assets and confidential data. Therefore, the importance of password hygiene cannot be stressed enough. Firms are advised to promote a culture of password security at all levels and remind employees regularly to reset passwords to protect themselves and the organisation from the malicious intentions of cyber criminals.
Here are some factors that make a strong password:
•    Length: keep the password complex (try using phrases)
•    Strength: avoid using personal information (especially information about you, which can easily be accessed from the internet)
•    Diversity: make sure your passwords vary across different platforms
•    Frequency: change your passwords every three months 
Check out our dedicated article on password security linked here for more tips!

Successfully Deploying Malware Protection and Multi-Factor Authentication (MFA)
Lastly, the circular highlights the importance of deploying malware protection and multi-factor authentication (MFA) to prevent security breaches and attacks. Our experts shared considerations for successfully deploying both these requirements, as listed below.
Suggested layers of malware protection:
•    Anti-virus software
•    Hardware and software firewalls
•    Encryption and application filters
•    Mobile device management
•    Intrusion detection and prevention
•    Web filtering
•    Targeted attack prevention and email encryption

MFA – commonly used authentication factors include:
•    Knowledge based
•    Possession based
•    Inherence based
•    Location
The following secure authentication practices are also advised:
•    Assign unique domain user IDs to each employee
•    Enforce domain account passwords to ensure they are in a location and/or format that does not compromise the security of the data they protect
The article linked here provides more insight into organisation cybersecurity and MFA.
Don't Forget to Share this Post

Related Posts

Q&A Summary of Major Themes and Takeaways from ECI’s Webinar on New SEC Cybersecurity Rules
Webinar Recap: What Financial Firms Need to Know About Upcoming SEC Rules on Cybersecurity, Part 2
Webinar Recap: What Financial Firms Need to Know About Upcoming SEC Rules on Cybersecurity, Part 1
Why Your Firm Needs a Governance, Risk and Compliance (GRC) Program
A Comprehensive Approach to Security Automation
Crafting a Third-Party Partnership for Better Compliance

How Can Eze Castle Integration help you?Contact us today!

Contact Us