On 6 August 2019, the Monetary Authority of Singapore (“MAS“) issued a set of legally binding requirements that financial institutions must take to mitigate the growing risk of cyber threats. These requirements are contained in the following notices (collectively, “Cyber Hygiene Notices“):
MAS has also issued a set of Frequently Asked Questions accompanying the Cyber Hygiene Notices (“FAQs“), which sets out common industry practices for each cyber security measures under the Cyber Hygiene Notices.
In finalising the Cyber Hygiene Notices, MAS has taken into consideration feedback received from the industry when MAS sought feedback from the public in September 2018.
The Cyber Hygiene Notices, the FAQ and MAS’ response to the feedback received (“Response“) can be found on the following link: https://www.mas.gov.sg/publications/consultations/2018/consultation-paper-on-notice-on-cyber-hygiene*
*Note: If you encounter any issues with the link, please copy the link above and view it from your browser.
Requirements under the Cyber Hygiene Notices:
The Cyber Hygiene Notices make compulsory a set of fundamental cybersecurity requirements that were elevated from the existing MAS Guidelines on Risk Management Practices – Technology Risk (“TRM Guidelines“)4.
The Cyber Hygiene Notices require relevant entities to implement a set of cybersecurity measures to protect and secure their systems from cyber-attacks. In contrast, the existing Notice on Technology Risk Management5 sets out requirements for financial institutions to maintain a high level of availability and recoverability in their critical systems, protect customer information from unauthorised access or disclosure, and to report relevant incidents to the MAS.
Specifically, the Cyber Hygiene Notices set out the following requirements:
(a) Administrative accounts
A relevant entity must ensure that every administrative account6 is secured to prevent any unauthorised access to or use of such account.
To secure such administrative accounts:
- administrative accounts and access rights should be granted on a “need-to-use basis and procedures should be established to assess and approve the granting of administrative accounts;
- periodic reviews should be performed to verify administrative rights are appropriately assigned, and revoked when no longer required; and
- preventive controls (e.g. password complexity, password expiration, dual control of passwords and segregation of duties for system administration) should be implemented.
(b) Security patches
A relevant entity must ensure that security patches are applied to address vulnerabilities to every system, and apply such security patches within a timeframe that is commensurate with the risks posed by each vulnerability. The timeframe for the remediation plan should be commensurate with (i) the criticality of the affected systems; (ii) the risks that the vulnerability poses; (iii) security severity of the patches; and (iv) existing controls in the relevant entity’s IT environment.
Where no security patch is available to address a vulnerability, controls must be instituted to reduce any risk posed by such vulnerability to such a system. For example, where a zero-day vulnerability has been identified and a patch is not available yet, network security devices may be used to detect and intercept or drop malicious payloads that are targeted to exploit the vulnerability.
(c) Security standards
A relevant entity must ensure that there is a written set of security standards for every system. In formulating its security standards, guidance may be taken from internationally recognised industry best practices (e.g. the Center for Internet Security and the National Institute of Standards and Technology).
The relevant entity must ensure that every system conforms to the set of security standards, except that where the system is unable to conform to the set of security standards, controls must be instituted to reduce any risk posed by such non-conformity. A process should be in place to seek dispensation from the relevant entity’s senior management.
In the Response, MAS clarified that relevant entities are expected to ensure that the security standards are approved by the person who has oversight responsibilities over the cybersecurity function, and the security standards are reviewed and updated at least yearly, or whenever there are significant changes to the IT environment or to the cyber risk landscape.
(d) Network perimeter defense
A relevant entity must implement controls at its network perimeter to restrict all unauthorised network traffic.
This requirement will apply to all networks used by relevant entities, including those hosted overseas, outsourced to intra-group or to third party service providers.
(e) Malware protection
A relevant entity must ensure that one or more malware protection measures are implemented on every system, to mitigate the risk of malware infection, where such malware protection measures are available and can be implemented.
Before implementing malware protection measure, relevant entities should perform their own risk assessment to determine if other measures are required to enhance their capability to mitigate the threat of malware infection on their systems. Relevant entities could work with vendors ti identify the most suitable malware protection solution that meets their own needs and the Cyber Hygiene Notice requirements.
(f) Multi-factor authentication
A relevant entity must ensure that multi-factor authentication7 is implemented for the following:
- all administrative accounts in respect of any operating system, database, application, security appliance or network device that is a critical system8; and
- all accounts on any system used by the relevant entity to access customer information through the internet,
(collectively, “Multi-factor Authentication Requirement“).
No need for compliance where control cannot be exercised:
A relevant entity need not comply with a requirement under the Cyber Hygiene Notice to the extent that it is unable to exercise control over a system to ensure compliance with that requirement, in all of the following ways:
- the relevant entity cannot exercise direct control over the system to ensure compliance with that requirement;
- the relevant entity cannot exercise indirect control over the system by requiring the system provider to ensure compliance with that requirement; and
- it is not reasonable for the relevant entity to procure an alternative system provider over whom the relevant entity is able to exercise such indirect control, to provide the system.
No need for attestation / audit reports:
No attestation or audit report(s) on the compliance with the Cyber Hygiene Notice needs to be submitted to the MAS.
However, the MAS expects all relevant entities to report to their senior management on the state of compliance with the Cyber Hygiene Notice.
The MAS will review the extent of the relevant entities’ compliance with the Cyber Hygiene Notice requirements as part of its supervisory process.
Timeline of Implementation:
Subject to the additional transitional period for the Multi-factor Authentication Requirement (see below), relevant entities have 12 months to put the cyber security measures in place before the requirements come into effect on 6 August 2020.
Relevant entities will have an additional six (6) months (i.e. until 5 February 2021) to implement the Multi-factor Authentication Requirement, if the relevant entity implements measures to reduce risks by meeting all of the following conditions:
- the relevant entity identifies all the risks or potential risks posed by its non-compliance with the Multi-factor Authentication Requirement during the six (6) months period;
- the relevant entity implements controls to reduce the risks identified in paragraph (i) above; and
- a committee of the relevant entity, or a member of the senior management of the relevant entity, agrees with the risk assessment in paragraph (i) above, and is satisfied that the controls implemented in paragraph (ii) are adequate to reduce the risks identified in paragraph (i).
1 Notice CMG-N03 Cyber Hygiene applies to (i) approved exchanges; (ii) recognised market operators incorporated in Singapore; (iii) licensed trade repositories; (iv) approved clearing houses; (v) recognised clearing houses incorporated in Singapore; (vi) the Depository; (vii) approved holding companies; (viii) holders of a capital markets services licence; (ix) registered fund management companies; (x) authorised benchmark administrators; (xi) authorised benchmark submitters; (xii) designated benchmark submitters; and (xiii) persons who are approved to act as a trustee of a collective investment scheme authorised under the Securities and Futures Act (Cap. 289) and constituted as a unit trust.
2 When the Payment Services Act 2019 comes into effect, the requirements seen under the Cyber Hygiene Notices will apply to payment services licensees and operators of designated payment systems under the Payment Services Act 2019.
3 Notice 132 Cyber Hygiene does not apply to an insurance agent who is any of the following: (i) an individual; (ii) a person exempted from holding financial adviser’s licence under section 23(1)(f) of the Financial Advisers Act (Cap. 110) (“FAA“); or (iii) a person or class of persons exempted from section 6(1) of FAA, under section 100(1) or (2) of FAA.
4 The TRM Guidelines are a set of best practices that provide financial institutions with guidance on the oversight of technology risk management, security practices and controls to address technology risks. MAS expects financial institutions to observe the guidelines as this will be taken into account in MAS’ risk assessment of the financial institutions.
5 This refers to Notice CMG-N02 Technology Risk Management (applicable to capital markets entities), Notice FAA-N18 (applicable to licensed financial advisers), Notice MAS 127 (applicable to licensed insurers, other than captive insurers and marine mutual insurers), Notice MAS 506 (applicable to registered insurance brokers), Notice MAS 644 (applicable to banks in Singapore), Notice MAS 762 (applicable to credit card or charge card licensees in Singapore), Notice MAS 830 (applicable to finance companies), Notice MAS 912 (applicable to money brokers approved under section 28 of the Monetary Authority of Singapore Act (Cap. 186)), Notice MAS 1114 (applicable to merchant banks approved under section 28 of the Monetary Authority of Singapore Act (Cap. 186)), Notice MAS 3203 (applicable to holders of a remittance licence issued under section 8 of the Money-changing and Remittance Businesses Act (Cap. 187)), Notice PSOA-N05 (applicable to operators and settlement institutions of designated payment systems), and Notice TCA-N05 (applicable to trust companies licensed under the Trust Companies Act (Cap. 336)).
6 An “administrative account” refers to any user account that has full privileges and unrestricted access to any one or more of the following systems: operating system, database, application, security appliance or network device.
7 The term “multi-factor authentication” means the use of two or more factors to verify an account holder’s claimed identity.
8 The term “critical system” in relation to a relevant entity, means a system, the failure of which will cause significant disruption to the operations of the relevant entity or materially impact the relevant entity’s service to its customers.