Response to "Questions remain over bank's stolen data" - The Straits Times, 9 December 2013
11 December 2013
The Editor ST Forum
Dear Editor, The Monetary Authority of Singapore (MAS) thanks Mr Francis Cheng for his letter, offering lessons and suggestions arising from the recent theft of customer data belonging to Standard Chartered Bank (“Questions remain over bank’s stolen data”, The Straits Times, 9 December 2013). Mr Cheng expressed his concern about the reliability of banks conducting their own internal IT checks, and also suggested that MAS convene an independent financial technology audit committee to conduct stress tests on banks’ IT systems.
Banks in Singapore have in place sound IT security standards to maintain efficient delivery of their services and to safeguard customer information. These standards are governed by the banks’ own internal IT security policies as well as the minimum expectations set out in MAS’ Technology Risk Management Guidelines.
MAS’ guidelines require banks to conduct regular internal tests on their systems and networks. These include security vulnerability assessments and penetration tests to identify and rectify any security weaknesses. To ensure that the assessments are objective and robust, banks are required to engage IT security professionals with the required expertise, who are not involved in the operation of the banks’ systems.
These assessments and the required follow up remedial actions are subject to reviews by both internal and external auditors. MAS also reviews these assessments to ensure that the scope of the review, expertise engaged in the testing, and follow-up actions are appropriate.
Angelina Fernandez Director (Communications) Monetary Authority of Singapore