Business

MAS announces new cyber hygiene rules

It is first financial authority to mandate such measures, to kick in next year

All financial services and e-payment companies here must follow a set of cyber hygiene rules from August next year, with Singapore's central bank stepping up efforts to strengthen the sector's defence against rising threats.

The Monetary Authority of Singapore (MAS) announced the mandatory rules yesterday, saying the sector will be more exposed to risks when it opens up to more technology players including e-wallet services and cryptocurrency companies.

E-payment companies include GrabPay and Singtel Dash, while companies like Binance Singapore and Luno are involved in the cryptocurrency business.

MAS said the 1,600-plus financial institutions it licensed, including banks and stock brokerage firms, will have to comply with the cyber hygiene rules.

It is the first financial authority in the world to mandate cyber hygiene, which includes the need for strong passwords, multi-factor authentication and firewalls to restrict unauthorised network traffic.

These measures - which include regular updates of anti-virus software and validation of who has access to administrative accounts - are legally binding, and those who fail to comply may face sanctions.

CONSULTATIONS

The MAS' toughened stance follows two years of consulting with the industry and a spate of data breaches globally.

"When we looked at all the incidents that happened globally and in Singapore, we realised that 90 per cent of them are a result of basic cyber hygiene not being followed," said Mr Vincent Loy, assistant managing director of technology at MAS, in an interview with The Straits Times.

The most recent massive breach took place in March and involved the account and credit card applications of some 106 million American customers of US bank Capital One.

In Singapore, a breach in June last year saw the personal data of 1.5 million SingHealth patients and the outpatient prescription information of 160,000 people stolen. It was billed as Singapore's worst data breach.

The Capital One intrusion occurred through a misconfigured Web application firewall that enabled access to the data.

"All the cyber security incidents confirmed the need for a set of cyber hygiene rules, which we first thought of having two years ago," said Mr Loy, who oversees all things technology, data and cyber security related at MAS.

On why the financial sector often has to take the lead in risk management, he said: "Unlike other sectors, the impact of cyber breaches in the financial services sector is much more immediate and pronounced as we are dealing with money and customers' confidential data."

BUSINESS & FINANCE