Originally introduced in 2013, the Monetary Authority of Singapore (“MAS“) Technology Risk Management (“TRM”) received an update in August 2019 which made its guidelines mandatory for any financial institution (FI) with a global footprint that has operations in Singapore. For banks that operate within the country, this means that the recommendations will become legally binding on August 6th, 2020. As we enter the new year, this deadline hurtles ever closer. Which begs the question: what do FIs still have to do to comply with the MAS TRM regulations?
The main obligations laid out in the MAS guidelines can be summarised by the following:
- Deploy security controls to limit unauthorised network traffic
- Create and implement robust processes for securing IT systems
- Guarantee updates are applied to address system security flaws in a timely way
- Execute procedures to mitigate the risk of malware infection
- Ensure the use of system accounts is secured with special privileges to prevent unauthorised access
- Deploy security controls to restrict unauthorised network traffic
- Undertake regular cybersecurity assessments and act upon their findings
- Deploy security controls to restrict unauthorised network traffic
What particularly stands out from the MAS TRM guidelines is how it sets out cybersecurity requirements in an informed, thorough, clear and up-to-date way. It is Cyber Essentials taken to the next level – it’s more of a step-by-step guide of cybersecurity best practices than it is a lightning rod of colossal change. This is clear in the way that the rules can be applied to any company, whether or not they operate within the financial services industry.
This is a smart move by MAS. By reinforcing these policies, they are helping guarantee that FIs are meeting minimum security requirements which will allow for greater mitigation of risk and better safeguarding of customer and company data. To a certain extent, most multinational FIs will already have a majority of the guidelines in place. However, there are still some steps to be made before complete compliance can be guaranteed.
The time is now
It’s logical to assume that it is more vital for Asian banks to pay attention to MAS. But even though TRM is of greater importance to Asian organisations, multinational financial institutions based in the UK need to pay attention to it now if they do business in Singapore or have any customers that operate in the country. In terms of its position in Asian financial networks, Singapore’s role as a gateway to Asian markets shouldn’t be underestimated. It shouldn’t come as a surprise that a large number of financial institutions in the UK will need to ensure compliance with the MAS guidelines.
Understanding what needs to be done should be easy enough. The guidelines are written in a simple, clear and concise way so that there is no room for misinterpretation. This in itself is a breath of fresh air, particularly when you consider other more obfuscatory pieces of regulation. The protracted debates that surrounded GDPR, for example, cannot and will not happen with the MAS guidelines. UK policy writers should take a leaf out of the Singaporean regulator’s book when putting together similar legislation in the future. If GDPR has been laid out in a more basic way, it would have saved a lot of people a lot of time, effort, stress and resource.
Major stumbling blocks
However, just because the instructions are easily understood it does not mean that compliance can be achieved with no trouble at all. FIs will likely still need to navigate a few tricky barriers between now and August 6th.
Take the identification of vulnerabilities as one example. The MAS guidelines say that businesses must enforce an appropriate identification process. On the surface, this may seem simple enough but in reality, it’s fraught with complications. If FIs don’t yet have visibility of their entire fragmented infrastructure, they will need to gain it fairly rapidly. Even when they have it, in order to properly understand the relevance of each vulnerability they will need to have deep, context-driven knowledge of exposure levels. Without this, they will have to deal with hundreds of thousands, if not millions, of vulnerability occurrences without being armed with the ability to determine which present the biggest risk to their organisation.
In addition, firewall rule recertification processes all need to be ramped up. In line with the MAS TRM recommendations, when any alterations are made to a financial institution’s security then an official auditing process must be carried out. Every FI is obligated to ensure that all of its firewall policies are being upheld on a regular basis: if these additional checks are new for the FI, and if the CISO and their team are forced to rely on manual processes, this will become a significant, time consuming and cumbersome undertaking.
Despite the fact that global FIs often have large cybersecurity teams to cope with these challenges, it’s never an easy job to redistribute resources. Particularly if they already feel stretched. In addition, if they are yet to invest in the correct tools to assist with automated vulnerability detection, prioritisation, and rule recertification, then there is a risk of being on the back foot.
Why we need an international standard
The MAS rules lay out the most important cybersecurity best practices with ease. In doing so, it raises the question of whether there is a need for a similar standard to be created in the UK. The answer is simple: yes. If similar recommendations to MAS had been in place, there is a chance that any number of recent data leaks at UK FIs may not have happened.
If a new international standard is introduced, it’s critical that it’s as easily digestible as the MAS guidelines. All members of staff, technical or not, should be able to grasp why cybersecurity is important and understand the role that they have to play. Ultimately, it is the responsibility of all employees to maintain the security of the organisation that they work for, not only for their own benefit but also for the customers they serve.
Of course, the onus for ensuring basic cyber-hygiene really shouldn’t fall at regulators’ feet. Banks in the UK who don’t operate in Singapore and, therefore, don’t have to comply with the MAS regulations, simply cannot afford to waste time waiting for regulators to tell them what good cyber-hygiene looks like. They can certainly lean on the MAS regulations, but they should be seeking to go much further. They should look at these measures and say, with confidence, that they’re already compliant. That they’re already 10 steps ahead. What they shouldn’t be doing is waiting for something like MAS to come along to give them a wake-up call.
But such a wake-up call may be needed. Recent figures released by the Financial Conduct Authority revealed that UK-based financial institutions suffered a fivefold year-on-year increase in data breaches in 2018. Clearly, more needs to be done to ensure the resilience of UK FIs. This is something that an international cybersecurity standard could achieve.
Peter Hughes, Technical Director, Skybox Security