Published Date: 30 September 2019

“Building cyber resilience across the financial sector” - Opening speech by Mr Vincent Loy, Assistant Managing Director (Technology), Monetary Authority of Singapore, at the 3rd Cyber Security Advisory Panel Meeting, on 30 September 2019

1.     Good morning to our guests from the industry and fellow agencies, and to our esteemed members of the Monetary Authority of Singapore (MAS) Cyber Security Advisory Panel. It is my pleasure to welcome all of you to the third MAS Cyber Security Advisory Panel meeting or CSAP in short.

2.     To the panellists, thank you for taking time off from your busy schedules to attend this important meeting. I hope you enjoy your time here, both from the engaging discussions we will have, as well as the sights and sounds of Singapore.

3.     The CSAP was formed in 2017 with the aim of bringing cybersecurity experts and thought leaders from around the world to advise MAS on strategies to enhance cyber resilience of Singapore’s financial sector.

4.     This year, a new panel has been appointed for a term of two years, with five new members and five returning members. I look forward to hearing from each of our CSAP members in attendance and learn from your experiences.

5.     Cyber threats in the financial sector have become more prominent in recent years as more organisations move into and expand in the digital world. The frequency, scale, and complexity of cyber-attacks are mounting.

6.     Given the interconnectedness in the financial ecosystem and the borderless nature of cyber threats, the financial sector must work closely together to manage cyber risks, strengthen our cyber resilience and ensure the smooth and safe delivery of key financial services.

7.     That being said, the financial sector is no stranger to cyber risks and it has been adapting to the evolving cyber threat landscape for the past two decades. For the rest of this morning, representatives from the industry will be sharing their insights on a number of cybersecurity topics and strategies they have adopted to deal with cyber threats.

8.     What I will do now, is to share with you some background on steps MAS has taken over the years to manage technology and cyber risk to build collective cyber resilience across the sector and with our fellow financial regulators. Specifically, I will share with you our activities in five areas, (1) Regulations and guidance, (2) Industry collaboration and support, (3) Collaboration with national and international agencies, (4) Information sharing and (5) Consumer education.

9.     Firstly, Regulations and Guidance. From as early as 2001, MAS has been issuing guidelines and circulars relating to technology risk management (TRM), and to keep pace with the evolving best practices in the industry, we are updating the guidelines after our consultation with the public earlier this year.

10.    In 2013, a few measures on implementing strong resiliency, protecting customer information, and incident reporting, were hardened into legally binding requirements.

11.    In August this year, we issued our second set of requirements through the Notice on Cyber Hygiene, which requires financial institutions in Singapore to implement essential cybersecurity measures to strengthen cyber resilience. Our returning CSAP members will recall that in 2017, we had consulted them on these same measures. 

12.    Secondly, Industry Collaboration and Support. In addition to MAS’ regulatory and supervisory efforts, MAS works closely with the industry associations to undertake sector-wide cyber initiatives, such as conducting regular industry-wide business continuity and cyber risk exercises, and working with industry associations to establish Standing Committees on Cyber Security.

13.    In fact, today’s industry engagement session would not have been possible without the support of representatives from the banking and insurance associations.

14.    Last year, MAS also launched a S$30 million Cybersecurity Capabilities Grant to help financial institutions build advanced capabilities and develop local talent in cybersecurity. This grant will entice financial institutions to build their global or regional cybersecurity centres of excellence in Singapore which will help us expand and deepen cybersecurity capabilities locally.

15.    Thirdly, Collaboration with National and International Agencies. At the national level, MAS is a sector lead in a tiered surveillance framework with the Cybersecurity Agency of Singapore, or CSA, coordinating cybersecurity efforts across sectors. We have been working closely with CSA for the past few years to strengthen critical information infrastructure operators in the financial sector.

16.    At the international level, MAS is an active participant in a number of international standards setting bodies and working groups with peer regulators. MAS has been involved in the key cyber-related guidance released by these bodies, such as the Financial Stability Board, the Committee on Payments and Market Infrastructure, the International Association of Securities Commissions, and the International Association of Insurance Supervisors.

17.    This year, MAS was invited to chair the Financial Stability Board’s working group on Cyber Incident Response and Recovery or CIRR. The CIRR will develop a toolkit of effective practices for financial institutions, as well as for supervisors and other relevant authorities to support financial institutions before, during and after a cyber-incident. Our CSAP members in attendance will also be provided the opportunity to contribute to the CIRR when they meet the working group this Wednesday.

18.    Fourthly, Information Sharing. Information sharing is a practice that we strongly believe in, and we are doing this in several ways.

19.    As mentioned earlier, the banking and the insurance sectors have their standing committees on cybersecurity where industry cyber issues and initiatives are discussed and pursued.

20.    Additionally, the Financial Services – Information Sharing and Analysis Centre, or FS-ISAC, has been facilitating information sharing among financial institutions across the world for several years. In 2017, we worked with them to establish their Asia Pacific Regional Analysis Centre in Singapore to provide 24/7 local and global coverage with threat information sharing, actionable intelligence, as well as tools and resources to respond to incidents.

21.    While the industry has several channels to gather and share information, regulators too have several avenues to do the same.

22.    MAS gathers and shares information through the various working groups of international standard setting bodies that we participate in. MAS has also established bilateral arrangements on cyber information sharing with our foreign counterparts. We have such relationships with the Hong Kong Monetary Authority and UK authorities such as the Bank of England and the Financial Conduct Authority, as well as other cyber threat research institutes around the world.

23.    However, to exchange cyber threat intelligence quickly and to multiple parties for the greater herd resilience, last year, we worked with FS-ISAC to establish the CEntral banks, REgulators and Supervisors (CERES) Forum to facilitate multi-lateral information sharing. This platform, which already has members spanning the five continents, enables authorities to share and distribute information on cyber threats, vulnerabilities, incidents and other intelligence that could impact the financial ecosystem.

24.    And lastly, Consumer Education. Promoting Consumer Awareness is a team effort and everyone has a part to play. Cybersecurity measures are only effective to the extent that consumers observe good cyber hygiene and practices on their part. To this end, MAS has stepped up efforts to alert investors and the public of cyber risks through MoneySense, Singapore’s national financial education programme.

25.    MAS also works with the CSA, Singapore Police Force and industry associations to raise public awareness of online scams and cybercrime through various programmes, such as the television programme Crimewatch and GoSafeOnline, an online resource for individuals and businesses.

26.    We have also been working with SkillsFuture Singapore, the Infocomm and Media Development Authority (IMDA), industry associations and local universities to provide opportunities for continuing education training for polytechnic graduates and ICT professionals for upskilling and reskilling.

27.    In fact, we are also pleased to have in our audience today, students from the five local polytechnics and two universities. I hope that you find the presentations and discussions useful, and show your fullest support to your fellow students who will be presenting later as well.

28.    So What’s next? I have spoken much about the positive steps we have taken. However, we cannot be complacent and rest on our laurels. This CSAP meeting is organised precisely so that we can look forward and identify emerging risks, develop strategies to manage them, and work together to enhance our financial sector’s cyber resilience.

29.    We have an exciting agenda ahead for the rest of this morning with discussions on artificial intelligence, cloud resilience, digital transformation, evolving software development methodologies, and I encourage everyone to ask questions so that we can all benefit from the different perspectives in the room. The discussions for this year’s CSAP meeting will focus on several areas where we see potential for cyber risks to grow, as well as areas where a deeper understanding of the risks is required.

30.    With that, I would like to once again thank you all for joining us and wish for everyone to have a fruitful session ahead.