Introduction

1   Ladies and gentlemen, good morning and welcome to the first ABS – MAS Technology Risk Seminar.

2   I am very happy to see this large gathering of IT and risk professionals from the financial industry as well as fellow IT regulators from around the world.

3   I hope this seminar will provide an opportunity for all of you to exchange views and insights on the latest developments in information security and technology risk management.  

Addressing Technology Risks in The Financial Sector

4   From the first ATMs to mobile banking and the latest in biometrics, technology has been a key enabler for the financial industry, indeed a source of competitive advantage.  The use of technology has become so extensive today that it now forms an integral part of our business and operations. 

5   As its importance grows, so have the risks.  In particular, the threat of cyber attacks has escalated.  The massive Distributed Denial of Service (DDoS) attacks on American banks in the past two years are a case in point.  The sophistication and frequency of such attacks would only increase with the ubiquitous nature of the internet and easily available hacking tools.  I was told that some of these tools can even be downloaded for free, along with how-to-do videos.

6   We need to address these cyber security risks to safeguard the operations of our financial institutions and maintain public confidence in our system.  Just because technology presents risks does not mean that we should then limit its use.  That would be self-defeating.  A more meaningful approach would be to take proactive measures to mitigate the risks, so that technology can continue to support and power financial sector development.

7   At the national level, the Government has announced a five-year National Cyber Security Masterplan. One component of this plan is a $130 million National Cyber Security Research and Development Programme to support cyber security research.  Another component is to enhance the security and resilience of critical information infrastructure (CIIs), including those in the financial sector.

8   Within the financial sector, MAS has been working closely with the industry to address cyber security threats. We adopt a three-pronged approach, focusing on:

• Principles
• Preparedness
• Partnership

I call them the “3Ps”, and will elaborate on each in turn.

Principles

9   The first “P” is Principles.  This refers to the underlying principles that guide our approach to addressing cyber security risks.  These principles are encapsulated in the Technology Risk Management Notice and Guidelines that MAS issued in June.  They were issued following extensive consultation with the industry and represent good practices that all financial institutions should adopt. 

10   Nonetheless, our operating environment, as well as the threats that we face, are constantly evolving.  No rule can cover every situation.  That is why the principles that underlie our TRM Notice and Guidelines bear repeating.  They can serve as guideposts when we encounter new challenges.  The three principles are:

• Confidentiality
• Integrity
• Availability

11   Confidentiality refers to safeguarding sensitive customer information from unauthorised access or exposure.

12   Integrity means preserving the integrity of financial transactions and records against unintended or unauthorised changes.

13   Availability means making sure that financial services remain available to customers.

14   A good example for applying these principles is cloud computing.  This is an area that has attracted the attention of global financial regulators lately.  MAS does not prohibit cloud computing.  In fact, MAS has approved its use in particular cases. 

15   In those cases, the financial institutions recognised the inherent risks in the outsourcing arrangement and took proactive steps to mitigate them.  For example, cloud computing typically entails multi-tenancy and data comingling. This exposes financial institutions to possible attacks from other users who share the same system.  Financial institutions should therefore pay particular attention to customer data confidentiality and integrity as well as system availability issues when considering such arrangements.  Possible risk mitigation strategies include strong encryption and authentication, data segregation, and fault-tolerant system design.

16   Financial institutions cannot shortcut their own risk assessments and expect MAS to give a blanket endorsement of particular cloud computing providers as suitable for use by everyone.  MAS cannot do so, not for cloud computing providers nor any other outsourced service providers.  This is because the risks and the appropriate responses vary depending on each institution’s business model as well as the applications and data it wishes to outsource.  Only the financial institution involved can make such a judgement.  MAS will then evaluate whether the financial institution has adequately addressed the principles of confidentiality, integrity and availability.

Preparedness

17   The second “P” is Preparedness.  Being prepared means putting in place appropriate controls to mitigate risks before adopting new technology solutions.  It also means maintaining vigilance and scanning the environment for threats even as we look to exploit new technologies and innovations.

18   Two examples come to mind.  First, mobile financial services.  Threats, such as viruses, malware and hacking, used to exist only in the internet world. However, with the advent of smart phones and tablets and the convergence of mobile networks and the internet, these threats are quickly spreading into the mobile space.  Financial institutions should be sensitive to these threats and implement proper safeguards when offering services on mobile platforms.

19   Second, the Bring-Your-Own-Device movement, or BYOD. While corporate IT devices are typically locked-down with stringent security configurations, the same cannot be said for personal devices.  Further, current security solutions on mobile platforms may not be as strong as those on the PC platform.  Financial institutions that embrace BYOD without implementing proper controls may therefore find themselves exposed to higher risk of data loss and other security breaches.

Partnership

20   The third “P” is Partnership.  More can be achieved together than alone. MAS aims to deepen its partnership with the industry and various other stakeholders, such as relevant government agencies and key infrastructure operators. 

21   One major aspect of partnership would be the sharing of cyber intelligence. This promotes greater situational awareness and enhances our effectiveness in neutralising cyber threats quickly. Further, given how information systems are interconnected across institutions, coordinated responses by all stakeholders can help prevent a threat from spreading throughout the network.

22   The ABS Standing Committee for Cyber Security (or SCCS) serves this very purpose.  Launched in July, the Committee is currently chaired by OCBC and comprises the Chief Information Security Officers and Chief Technology Officers from the major financial institutions.  MAS supports this initiative.  We are particularly happy to see members sharing information during the recent web attacks by Anonymous.  I would like to encourage more such collaboration.
 
23   The ABS-MAS Technology Risk Seminar is another example of partnership that we want to continue nurturing.  I hope this seminar can serve as platform for sharing knowledge and exchanging ideas on the latest technology risks and how to deal with them.

Conclusion

24   On this note, I would like to thank Ai Boon and her team at ABS for their excellent work in organising this seminar.  They have put together an interesting agenda, covering a range of topics from ATM and payment card fraud, to malware attacks and biometrics.  As we discuss each of these topics, let’s consider how the 3Ps of Principles, Preparedness and Partnership can apply. 

25   I wish all of you an enjoyable and fruitful seminar.