These requirements will help FIs strengthen their cyber resilience and guard against cyber attacks.

FIs will be required to implement six cyber security measures:

address system security flaws in a timely manner;
establish and implement robust security for systems;
deploy security devices to secure system connections;
install anti-virus software to mitigate the risk of malware infection;
restrict the use of system administrator accounts that can modify system configurations; and
strengthen user authentication for system administrator accounts on critical systems.

Cyber breaches are often the result of insecure system configurations or compromised system accounts. These measures, which are already part of the existing MAS Technology Risk Management Guidelines, are aimed at enhancing the security of FIs’ systems and networks as well as mitigating the risk of unauthorised use of system accounts with extensive access privileges. MAS is proposing to stipulate these measures as a baseline hygiene standard for cyber security by elevating them into legally binding requirements.

Mr Tan Yeow Seng, Chief Cyber Security Officer, MAS, said, “The proposed Notice on Cyber Hygiene seeks to strengthen the overall readiness of all financial institutions to address cyber threats by delineating a clear and common cyber security waterline for the financial industry. This will help ensure that our financial sector as a whole continues to be resilient to cyber threats.”

The public consultation will run from 6 September to 5 October 2018. A copy of the public consultation paper is available on the MAS website. MAS welcomes members of the public to give their feedback on the proposed Notice.

Additional information:

FIs are also currently required to implement information technology controls to protect customer information from unauthorised access or disclosure under MAS’ Notice on Technology Risk Management.