Financial Institutions Need to Review Security Controls Amidst COVID-19: MAS’ Cyber Security Advisory Panel
Singapore, 10 November 2020… The Monetary Authority of Singapore (MAS)'s Cyber Security Advisory Panel (CSAP)
2 Key recommendations from the CSAP meeting include:
- Reviewing risk profiles and adequacy of risk mitigating measures. The Panel discussed the risks and vulnerabilities arising from the rapid adoption of remote access technologies and work processes that could affect FIs’ cyber risk profiles. The meeting highlighted the need for FIs to assess if their existing risk profiles have changed and remain acceptable. This is to ensure that in the long run appropriate controls are implemented to mitigate any new risks.
- Maintaining oversight of third-party vendors and their controls. With the increased reliance on third-party vendors, the Panel emphasised the need for FIs to step up their oversight of these counterparts and to monitor and secure remote access by third-parties to FIs’ systems. This is even more important during the COVID-19 pandemic where remote working has become pervasive.
- Strengthening governance over the use of open-source software (OSS). Vulnerabilities in OSS are typically targeted and exploited by threat actors. The Panel recommended that FIs establish policies and procedures on the use of OSS and to ensure these codes are robustly reviewed and tested before they are deployed in the FIs’ IT environment.
3 Mr Ravi Menon, MAS’ Managing Director who chaired the CSAP meeting, said, “Singapore’s financial sector has done well so far in its cyber and operational resilience amid the new operating environment created by the pandemic. But as the situation prolongs, that resilience will come under greater stress as cyber attackers look for new vulnerabilities. Financial institutions must remain alert and nimble and strengthen their defences against emerging cyber threats. CSAP members have provided useful recommendations on maintaining cyber security against the backdrop of growing reliance on remote working arrangements and cloud service providers.”
4 Over two days of virtual meetings, the Panel also exchanged views with the Association of Banks in Singapore Standing Committee on Cyber Security (SCCS) and the Insurance SCCS on enhancing cloud resiliency, monitoring insider threats, and the role of cyber insurance in risk management. Participants included representatives from government agencies such as Ministry of Communications and Information, Ministry of Defence, and Government Technology Agency.