Senior Associate, Daniel Ling, to strengthen the firm’s Fraud, Asset Recovery and Investigations Practice

Introduction

On 18 January 2021, the Monetary Authority of Singapore (“MAS”) issued the (revised) Technology Risk Management  Guidelines focused on addressing technology and cyber risks in view of the growing use of cloud technology, application programming interfaces (“API”) and software development by financial institutions (each a “FI” and collectively, “FIs”)(the “Guidelines”).

The Guidelines focused on the following categories:-

• guidance on the roles and responsibilities of the board of directors and senior management of FIs;
• oversight and assessment of third-party vendors and entities that access the IT systems of FIs; and
• introduction of monitoring, testing, reporting and sharing of cyber threats within the financial ecosystem.

We summarise the key amendments under each category below:-

(A) Roles and responsibilities of the Board of Directors and Senior Management

The Guidelines provide that the board of directors (the “Board”) and senior management of a FI (“Senior Management”) should ensure the appointment of a Chief Information Officer (“CIO”) (or its equivalent) and a Chief Information Security Officer (“CISO”) (or its equivalent).

The CIO and CISO will need to possess requisite experience and expertise and should be accountable for managing the FI’s technology and cyber risks. Notwithstanding the aforesaid, the Board and Senior Management should also comprise members who possess knowledge of technology and cyber risks.

Further to the above, the Guidelines expanded the responsibilities of the Board and Senior Management, providing an extensive list of responsibilities under sections 3.1.7 and 3.1.8.

MAS has clarified that the intent of the Guidelines is to ensure that the Board and Senior Management of the FI are able to exercise their oversight of technology strategy, operations and risks, competently.

(B) Assessment of third-party vendors and entities that access the IT systems of FIs

Under the Guidelines, there is a new requirement for FIs to establish internal protocols when assessing (i) third-party vendors; and (ii) entities that wish to access the FIs’ API.

Vendors

For the evaluation of vendors providing software solutions (each a “Vendor” and collectively, the “Vendors”), FIs need to ensure that each Vendor is qualified and able to meet the FIs’ project requirements and deliverables. In essence, the level of assessment and due diligence of Vendors should be commensurate with the criticality of the project deliverables.

MAS has clarified that FIs may adopt a risk-based approach when assessing the robustness of the Vendor’s software and may, on their own volition, opt to obtain an undertaking from the Vendor, assuring the FI of the security of the Vendor’s software.

Third-Party Entities Assessing FIs API

There is also a requirement for FIs to develop a well-defined vetting process for assessing third-party entities that wish to access the API of the FI (each a “Third-Party Entity” and collectively, the “Third-Party Entities”).

The vetting process includes, inter alia, evaluating the nature of the Third-Party Entity’s business, cyber security posture, industry reputation and track record.

FIs should also ensure that there are adequate protocols governing the access of their API by Third-Party Entities.

The MAS has clarified that FIs should use strong encryption to ensure the secure transmission of sensitive data; building capabilities to monitor the usage of APIs; and detecting suspicious activities and revoking access to Third-Party Entities in the event of any security breach.

(C) Introduction of monitoring, testing, reporting and sharing of cyber threats within the financial ecosystem

We set out some of the key sections (non-exhaustive) in the Guidelines pertaining to this category C.

Cyber Threat Intelligence and Information Sharing

The Guidelines require FIs to establish a process to collect, process and analyse “cyber-related information” that is relevant and may have a potential impact to the FI’s business and IT environment. Such information should be monitored by way of the FI procuring cyber intelligence monitoring services.

For the avoidance of doubt, “Cyber-related information” refers to cyber events, cyber threat intelligence and system vulnerabilities.

FIs should also ensure proper detection of and response to, misinformation propagated on the internet by engaging external media monitoring services.

Cyber Incident Response and Management

FIs should establish a plan for cyber incident response and management to swiftly isolate and neutralise any cyber threat to prevent disruption of the FIs services.

The plan should, amongst others, establish a process to investigate and identify the security or control deficiencies, and describe communication, coordination and response procedures to address possible cyber threat scenarios.

As a matter of practicality, the MAS has clarified that the cyber incident response and management plan can be part of a FI’s larger incident management plan prescribed under the previously  Technology Risk Management Guidelines in 2013 (the “2013 Guidelines”).

Cyber Security Assessments

Under the Guidelines, FIs must assess their cyber security by conducting regular vulnerability assessments (“VA”) and penetration testing (“PT”). The frequency of such tests should be commensurate with the criticality of the IT system and the security risk to which it is exposed.

The scope of the VA should minimally include vulnerability discovery, identification of weak security configurations, and open network ports, application vulnerabilities (where applicable), and web-based vulnerabilities (for websites).

The scope of the PT should include a combination of blackbox and greybox testing. FIs may also consider conducting a bug bounty programme viz. inviting and incentivising ethical hackers to conduct PT on their systems.

Cyber Exercises

In order to ensure accurate robustness of the FI’s cyber defences and IT systems, the Guidelines provide that FIs should carry our regular scenario-based cyber exercises to validate its response and recovery, as well as communication plans against cyber threats.

These exercises should involve Senior Management, business functions, corporate communications, crisis management team, service providers (where applicable), technical staff responsible for cyber threat detection and relevant stakeholders.

Examples of Cyber Exercises include “social engineering”[1], “table top”[2] or “cyber range exercises”[3].

Conclusion

The Guidelines have seen a marked expansion of the roles and responsibilities of FIs in managing cyber security threats (as compared to the 2013 Guidelines).

Whilst the expansive nature of the Guidelines may seem daunting, it is imperative and represents MAS’ recognition of the current market conditions.

 

This update is provided to you for general information and should not be relied upon as legal advice.

 

[1] Social engineering is a process in which cyber criminals manipulate an unsuspecting person into divulging sensitive details such as passwords through the use of techniques such as phishing, identity theft and spam.

[2] Table-top exercise is a discussion-based exercise where personnel with roles and responsibilities in a particular IT plan meet in a classroom setting or in breakout groups to validate the content of the plan by discussing their roles during an emergency and their responses to a particular emergency situation.

[3] Cyber ranges are interactive, simulated representations of an organisation’s local network, IT system, tools, and applications that are connected to a simulated Internet level environment. They provide a safe, legal environment to gain hands-on cyber skills and secure environment for product development and security posture testing.