Banks offering or delivering products and services via the internet or telecommunication networks, both wired or wireless, need to fully understand, not only the opportunities and advantages provided by online delivery channels, but also the security risks, network vulnerabilities and intrusion threats inherent in operating on the internet and open networks. The rapid development of ebanking capabilities carries safety and security implications.
2 Our 'Internet Banking Technology Risk Management' guidelines issued in March 2001 clearly state that the board of directors and senior management of a bank are responsible for managing its risks, including technology risks which are becoming more prevalent and complex. A sound and robust risk management framework mandates that the board and senior management of the bank be held accountable for controlling and managing its technology risks and security posture.
3 The board and senior management of the bank should play a central role in ensuring the adequacy and effectiveness of their risk management processes and security systems. In regard to this function, the responsibility and accountability of the board and senior management is a basic tenet of sound banking practice and corporate governance.
4 In specific terms with respect to internet banking systems, the board and senior management need to ensure that preventive, detective, deterrent and incident response procedures, control countermeasures and security practices are in place to counteract against security threats and vulnerabilities posed by the internet to the bank's operations. Their effectiveness and adequacy should be under constant review, audit and monitoring. Prompt and decisive actions must be taken when significant security vulnerabilities and threats come to light.
5 As a general requirement, the security procedures and measures we expect the bank to have are as follows:
-
robust technology risk management function and security policies.
-
rigorous network and systems hardening.
-
regular systems and data integrity checking.
-
annual security vulnerability assessment and penetration testing.
-
anti-virus scanning at all entry points.
-
effective firewall and intrusion detection systems.
-
vigorous network surveillance and monitoring of suspicious traffic and intrusion attempts.
-
prompt incident response and investigation.
-
rapid recovery capability.
-
effective and tested business continuity and disaster recovery plans.
6 Banks are required to have an open policy of disclosure of security incidents and intrusions affecting their customers. Public announcement of such events, including mitigating measures taken, should be made in the most timely and prudent manner, taking into account the need to maintain customer confidence. Hacking and intrusion offences must be promptly reported to MAS as well as the police so that these crimes can be investigated and prosecuted. The bank's board and senior management will be held accountable for security lapses and hacking intrusions which they can be reasonably expected to have prevented or adequately dealt with through the exercise of due diligence and reasonable skill and care in discharging their responsibility with respect to risk management functions and security practices.
Yours faithfully
SPECIALIST RISK SUPERVISION DEPARTMENT
PRUDENTIAL SUPERVISION GROUP
Click here to view the Internet Banking and Technology Risk Management Guidelines
| 
