Although the Monetary Authority of Singapore (“MAS“) cybersecurity guidelines have been around since 2013, it was only in August this year that they became legally binding for any financial institution that operates in the country.
The requirements state that banks operating in Singapore need to do the following:
- Establish and implement robust security for IT systems
- Ensure updates are applied to address system security flaws in a timely manner
- Deploy security devices to restrict unauthorised network traffic
- Implement measures to mitigate the risk of malware infection
- Secure the use of system accounts with special privileges to prevent unauthorised access
- Strengthen user authentication for critical systems as well as systems used to access customer information
But why is this important for UK banks now, and should our regulatory bodies be replicating these new rules to make sure the UK banks have best-practice cybersecurity?
This regulation is important for any bank that does business in Singapore, or has customers that operate in the country. As more businesses seek to use Singapore as a ‘gateway’ to Asian markets, then this actually applies to a growing number. Fortunately, a majority of UK banks already have the required security measures in place – but this could be down to the fact that MAS is incredibly well written; it makes achieving compliance seem simple and straightforward. The emphasis that they place on prioritising ease of understanding sits in stark contrast to the likes of GDPR which set myriad targets, with very little detail or guidance of how to get there.
That said, appearances can be deceiving. While complying with MAS may seem straightforward, there are a couple of tricky kinks in the road that can prove to be a challenge. First is the need for banks to implement a suitable process that enables them to identify vulnerabilities. Second is the ability to sift through thousands of these vulnerabilities and determine which present the biggest risks. Owing to the sheer size and complexity of a global IT system, it\’s easy to see how these tasks can cause headaches at international banks. It is impossible to manage these processes effectively without automated solutions and a huge amount of resources.
It absolutely makes sense for MAS to become an international standard. Perhaps if it had been in place a year or two ago, TSB and Nationwide wouldn’t have had to deal with its recent breaches and service outages. Enforcing an international standard, however, would be more difficult owing to the differences in banking operations across a number of regions. That said, if MAS isn’t made compulsory for global banks then we could eventually end up with a two-tier international banking market: tier-one banks would be MAS compliant and tier-two would have less-stringent policies meaning they could also offer cheaper products and services but would leave their customers vulnerable to attack.