The Monetary Authority of Singapore Cyber Security Advisory Panel (CSAP) stressed the need for financial institutions to review their security controls given the elevated technology-related risks arising from remote working and safe management measures due to the COVID-19 pandemic. The Panel shared its insights on cyber risks in the new operating environment and made several recommendations.
Mr Ravi Menon, MAS’ Managing Director who chaired the CSAP meeting, said, “Singapore’s financial sector has done well so far in its cyber and operational resilience amid the new operating environment created by the pandemic. But as the situation prolongs, that resilience will come under greater stress as cyber attackers look for new vulnerabilities.”
“Financial institutions must remain alert and nimble and strengthen their defences against emerging cyber threats. CSAP members have provided useful recommendations on maintaining cybersecurity against the backdrop of growing reliance on remote working arrangements and cloud service providers.”
Key recommendations from the CSAP meeting include:
Reviewing risk profiles and adequacy of risk-mitigating measures.
The Panel discussed the risks and vulnerabilities arising from the rapid adoption of remote access technologies and work processes that could affect financial institutions’ (FIs) cyber risk profiles. The meeting highlighted the need for FIs to assess if their existing risk profiles have changed and remain acceptable. This is to ensure that in the long run appropriate controls are implemented to mitigate any new risks.
Maintaining oversight of third-party vendors and their controls.
With the increased reliance on third-party vendors, the Panel emphasised the need for FIs to step up their oversight of these counterparts and to monitor and secure remote access by third-partiesto FIs’ systems. This is even more important during the COVID-19 pandemic where remote working has become pervasive.
Strengthening governance over the use of open-source software (OSS).
Vulnerabilities in OSS are typically targeted and exploited by threat actors. The Panel recommended that FIs establish policies and procedures on the use of OSS and to ensure these codes are robustly reviewed and tested before they are deployed in the FIs’ IT environment.
The Panel also exchanged views with the Association of Banks in Singapore Standing Committee on Cyber Security (SCCS) and the Insurance SCCS on enhancing cloud resiliency, monitoring insider threats, and the role of cyber insurance in risk management over two days of virtual meetings. Participants included representatives from government agencies such as Ministry of Communications and Information, Ministry of Defence, and Government Technology Agency.
