Singapore: Monetary Authority of Singapore consults on cyber hygiene notice

Transcription

1 05/12/2018 Singapore: Monetary Authority of Singapore consults on cyber hygiene notice Data Oct 2018 Singapore: Monetary Authority of Singapore consults on cyber hygiene notice On 6 September 2018, the Monetary Authority of Singapore ( MAS ) issued a consultation paper on its draft notice on cyber hygiene ( the Notice ) which will require nancial institutions operating in Singapore to implement a set of fundamental controls to raise their overall level of cyber resilience. Han Ming Ho and Yuet Ming Tham, Partners at Sidley Austin LLP, discuss and focus on the key features of the draft Notice. Olivier Le Moal/Essentials collection/istockphoto.com Introduction On 17 May 2018, Tan Yeow Seng, Chief Cyber Security O cer of the MAS, gave a keynote speech at the Visa Security Summit on technological advancements, trust, and security in the context of the e-payments industry. Tan highlighted the importance of building resilience in the payment ecosystem, and set out the major cyber security initiatives that the MAS has embarked upon: Firstly, to strengthen cyber collaboration and promote cyber threat information sharing, the MAS has collaborated with the Financial Services Information Sharing and Analysis Centre to establish its Asia Paci c Regional Analysis Centre in Singapore. This allows its members to share and receive cyber threat information and other resources tailored for the region. 1/5

2 05/12/2018 Singapore: Monetary Authority of Singapore consults on cyber hygiene notice Data Secondly, the MAS is reviewing the MAS Technology Risk Management Guidelines to give greater focus on cyber resilience and to incorporate new guidance to keep pace with technological advances and rapidly evolving cyber threats. To date, the revised guidelines have not been issued. Thirdly, the MAS will issue the Notice, which will require nancial institutions in Singapore to implement a set of fundamental controls to raise their overall level of cyber resilience. Application of the Notice As a starting point, the Notice will apply to Singapore nancial institutions such as banks, insurers, capital markets services licence holders, designated payment system operators, and settlement institutions. In addition, the Notice will apply to any licensee under the proposed Payment Services Bill 2018 ('PSB'). This will include existing moneychangers, remittance agents and holders of stored value facilities that become licensees under the proposed PSB, as well as any entity licenced under the proposed PSB to provide payment services such as account issuance, domestic money transfer, merchant acquisition and virtual currency services ('Relevant Entity'). The consultation period for the PSB has closed and the MAS has yet to issue its response to any feedback received. As such, there may be further changes to the PSB before it is passed by the Parliament of Singapore. Requirements under the Notice Under the draft Notice, the MAS prescribes six cyber hygiene practices that will form the baseline standard for cybersecurity. In addition, the MAS has provided guidance on the measures that may be implemented to meet the standard under the Notice. However, the MAS has acknowledged that due to the di erences in the scale, complexity and nature of business of di erent entities, the measures that may be implemented by one Relevant Entity may di er from those implemented by another. The six practices, and accompanying guidance, are set out as follows: 1. Administrative accounts A Relevant Entity must secure every administrative account on its system to prevent any unauthorised access to or use of, such accounts. 'Administrative account,' in relation to a system, means any user account that has full privileges and unrestricted access to the system. keep a record of all administrative accounts in its system; implement strong password controls such as changing the default password, enforcing minimum password length and password complexity; grant access to administrative accounts only to authorised sta ; and validate on a regular basis that only authorised persons have access to administrative accounts. 2. Security patches 2/5

3 05/12/2018 Singapore: Monetary Authority of Singapore consults on cyber hygiene notice Data A Relevant Entity must apply security patches to address vulnerabilities to its system, within a timeframe that is commensurate with the risks posed by such vulnerabilities being exploited to the Relevant Entity. Where no security patch is available to address a vulnerability, the relevant entity must institute controls to reduce any risk posed by such vulnerability to its system. 'Vulnerability,' in relation to a system, means any weakness, susceptibility or aw of the system that can be exploited, including but not limited to by allowing an unauthorised person to access the system, or to compromise the security con guration settings of the system. perform regular checks for available security patches; establish a framework to assess the criticality of any available patch and the timeframe within which the patch must be implemented; and the framework should include controls to reduce any risk in the event that a patch cannot be applied. 3. Security standards A Relevant Entity must have a written set of security standards for its system. Subject to the paragraph below, a Relevant Entity must ensure that its system conforms to the set of security standards. Where the system is unable to conform to the set of security standards, the Relevant Entity must institute controls to reduce any risk posed by such non-conformity. establish, document and keep up-to-date security standards; ensure every system complies with the security standards established by the Relevant Entity; and take steps to reduce any risk, including approving deviations from the security standards, if the system cannot fully conform with the security standards. 4. Firewall A Relevant Entity must implement one or more rewalls at its network perimeter to restrict all unauthorised network tra c. implement one or more rewalls at the network perimeter in order to segment the internal network from the public internet; and con gure any implemented rewalls and regularly review the rewall rules to only allow authorised network tra through. c to pass 3/5

4 05/12/2018 Singapore: Monetary Authority of Singapore consults on cyber hygiene notice Data 5. Anti-virus A Relevant Entity must implement one or more anti-virus measures, to mitigate the risk of malware infection on its system. The Relevant Entity may consider implementing this measure: update any anti-virus software and signatures promptly. 6. Multi-factor authentication A Relevant Entity must implement multi-factor authentication for all administrative accounts on its critical systems and all accounts on any system used by the Relevant Entity to access con dential information through the internet. 'Multi-factor authentication' means the use of two or more factors to verify an account holder's claimed identity. Such factors include: something that the account holder knows such as a password or a personal identi cation number; something that the account holder has such as a cryptographic identi cation device or token; and something that the account holder is, such as an account holder s biometrics or their behaviour. 'Critical system' in relation to a Relevant Entity means a system that the failure of which will cause signi cant disruption to the operations of the Relevant Entity or materially impact the Relevant Entity's service to its customers. A critical system includes but is not limited to a system which processes transactions that are time critical, or provides essential services to customers. 'Con dential information' means any information relating to, or any particulars of, any customer of the Relevant Entity that is not publicly available, and any information relating or belonging to the Relevant Entity that is not publicly available. The Relevant Entity may consider implementing this measure: implement multi-factor authentication for the accounts as stated in the Notice. Examples include: (a) any administrative account of an operating system on any critical system; and (b) an account belonging to the human resource department that can be used to remotely access sta information through the internet. Timing The last day to provide feedback on the draft Notice was 6 October While no date has been prescribed for the Notice s issuance, the MAS proposes that the Notice take e ect 12 months from its date of issuance to give nancial institutions time to implement the necessary processes and controls. Conclusion By delineating a clear and common cybersecurity waterline for the nancial industry, the proposed Notice seeks to strengthen the overall readiness of all nancial institutions to address cyber threats. This is a noteworthy step in achieving the MAS' goal of building up the overall level of cyber resilience in the nancial industry. 4/5

5 05/12/2018 Singapore: Monetary Authority of Singapore consults on cyber hygiene notice Data Han Ming Ho Partner Yuet Ming Tham Partner Sidley Austin LLP, Singapore This article has been prepared for informational purposes only and does not constitute legal advice. This information is not intended to create, and the receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers. The content therein does not re ect the views of the rm. RELATED CONTENT FINTRAC Annual Report BI Regulation No. 16/1/PBI/2014 regarding Payment System Services Consumer Protection Consumer Protection Code 2012 (December 2012) NEWS POST Cayman Islands: Ombudsman announces Data Protection Law start postponed NEWS POST USA: CFTC approves proposed rule to amend GLBA privacy notice requirements 5/5