MAS Requirements on Cyber Hygiene
Monetary Authority of Singapore (“MAS”) released a Notice on Cyber Hygiene on 6th August 2019 to raise cyber security standards and strengthen cyber resilience of financial institutions in Singapore. The legally binding Notice on Cyber Hygiene came into effect on 6 August 2020. As per the Cyber Hygiene notice, it is applicable to all financial institutions in Singapore.
Applicability of the Notice on Cyber Hygiene
The Notice on Cyber Hygiene sets out set of fundamental cyber security measures that are effective for mitigating prevalent cyber threats. As use of technology solutions and scale of IT operations vary across the relevant entities, MAS has not specified the exact cyber security measures that must be implemented to comply with the Notice on Cyber Hygiene.
Financial institutions are expected to put in place proper IT risk management framework to facilitate the assessment of risks and must implement the appropriate measures to mitigate those risks to comply with the Notice on Cyber Hygiene.
Difference between the Notice on Cyber Hygiene and the Technology Risk Management Notice
The Notice on Cyber Hygiene requires financial institutions to implement set of cybersecurity measures to protect and secure their systems from cyber-attacks. The Technology Risk Managemnet Notice on the other hand, sets out requirements for financial institutions to maintain high level of availability and recoverability in their critical systems, protect customer information from unauthorised access or disclosure and report relevant incidents to MAS.
It is important for financial institutions to put in place IT risk management policies and procedures that adequately addresses both the requirements under the Notice on Cyber Hygiene and Technology Risk Management Notice.
Key Obligations to Meet
We have listed out below summary of key Cyber Hygiene measures that financial institutions need to address in their technology risk management framework.
- Administrative Accounts
Administrative accounts refer to user accounts that have full access rights (e.g read, write, and execute) to key system resources. It is a requirement for financial institutions to secure the use of every administrator account in respect of any operating system database, application, security appliance or network device through preventive controls. These controls should prevent the unauthorised access to or use of such account.
Financial institutions should ensure access rights are granted on a “need to use” basis. Ensure there are procedures to assess and approve the granting of administrative accounts. Also ensure periodic reviews are performed to verify that administrative rights are appropriately assigned to maintain appropriate cyber hygiene.
- Security Patches
In order to manage appropriate cyber hygiene, financial institutions are required to address system vulnerabilities in a timely manner by applying available security patches to every system (including hardware and software). Mitigating controls must be implemented where no security patches are available.
Financial institutions should adopt a risk based approach in prioritizing a patch based on system criticality, severity of the vulnerability or risks posed by the vulnerability. In the event that a security patch is not available, financial institutions must take steps to mitigate the risks that vulnerabilities pose in other ways to comply with the Notice on Cyber Hygiene.
- Security Standards
As part of cyber hygiene practices, financial institutions are required to have written set of security standards for every system to ensure that these are always conformed to. Mitigating factors should be employed where system is unable to conform to security standards. Security standards in maintaining cyber hygiene should be approved by the person who has oversight responsibilities over the cyber security function. Financial institutions should review and update its standards at least yearly or whenever there are significant changes to the It environment or to the cyber hygiene and cyber risk landscape.
- Network Perimeter Defense
Financial institutions are required to implement controls at its network perimeter to restrict all unauthorised network traffic. The network perimeter defense requirement requirements as per the Notice on Cyber Hygiene will apply to all networks used by financial institutions, those hosted overseas, outsourced to intra-group or to third party service providers.
Potential defences, as per all other cyber hygiene measures, should commensurate with the scale and complexity of operations of the financial institutions. Examples of potential defenses include network router or firewall.
- Malware Protection
Financial institutions are required to implement protective measures on every system to mitigate the risk of malware infection, where available and can be implemented. As part of cyber hygiene best practices, financial institutions are strongly encouraged to consider the following security measures:
- Anti-virus software
- Network intrusion detection and prevention system
- Hardware and software firewalls
- Encryption and application filters
- Web filtering
- Email encryption
- Multi-Factor Authentication
As part of cyber hygiene, financial institutions must ensure multi-factor authentication is implemented for all administrative accounts, as well as those with access to any confidential data. Confidential data has been defined to mean information relating to, any particulars of, any customer of the financial institution where a named customer or group of named customers can identified, or is capable of being identified, from such information.
Financial institutions may utilise third party software application or appliance to implement multi-factor authentication to control access to legacy systems.
How can Argus (now Waystone Compliance) Assist?
We, at Argus Global (now Waystone Compliance), are a team of consultants who specialize in regulatory compliance for financial institutions. We assist to do the following:
- Draft and prepare a comprehensive Cyber Hygiene policy and procedures adhering to MAS Notice on Cyber Hygiene and Technology Risk Management Notice
- Provide gap analysis on current policies and procedures against MAS relevant notices and guidelines
- Provide Cyber Hygiene training to all employees to educate them on industry best practices, regulatory requirements as well as company specific internal control requirements
Please reach out to us for an initial discussion at [email protected].
Follow us on LinkedIn for more updates.