Skip content

MAS announce new rules in Singapore - what does this mean for businesses?

After the recent cyber-attack on SolarWinds that exposed thousands of businesses across the world, the Singapore Monetary Authority (MAS) have stepped up measures to protect businesses in Singapore.

The new measures, which effect all financial services and e-payment firms, came into effect on Monday the 18th of January and introduce a new set of central banking rules to better mitigate technology risks. MAS have been actively working on the strengthening of cybersecurity standards for some time now, with measures including updating the MAS TRM guidelines. However, the recent breach of SolarWinds has meant that there’s new focus on implementing hardened cybersecurity measures with more emphasis on third party vendors.

Who is affected by the new rules?

  • Banks
  • Payment services (eg. NETS Pay, SingTEL Dash)
  • Brokerage firms
  • Insurance firms

What are the new rules?

The revised guidelines from MAS have detailed higher expectations when it comes to using third party services providers; a practice becoming more common in the financial sector to implement new digital tools. A new focus has been applied to technology risk governance and security controls in particular.

The MAS TRM guidelines, first issued in 2013, introduced a set of mandatory requirements that are enforceable under the Banking Act. Non-compliance with the requirements could result in a $100,000 dollar fine for first time offences and a further $10,000 a day for continued offences. In 2019, a committee was brought together to gather feedback from public consultation, in which revisions have been taking place since.

However, since the SolarWinds Breach, the timeline for implementations has been stepped up. The new guidelines now in effect include:

    • Thorough screening of third-party suppliers. In the previous guidelines, screening was not mandatory but a thorough review of technology vendors was advised.
    • Stricter rules around the use of API, a code that allows different applications to work together and share information. From the 18th of January, financial institutions must vet API providers in relation to cyber security posture, industry reputation and track record.
    • Development of API’s must be more secure, including encrypting sensitive data that could be exposed by hackers to inject malicious code.
    • Directors and senior management in financial institutions must vet and approve key technology and cyber-security appointments.

Implementing sustainable change

One of the key problematic areas of implementing strong cyber security practices within organisations is a lack of regulation from senior management teams. In order to drive organisational change, LRQA recommend that senior officials drive awareness and cybersecurity best proactive from board level.

One of the key problematic areas of implementing strong cyber security practices within organisations is a lack of regulation from senior management teams. In order to drive organisational change, LRQA recommend that senior officials drive awareness and cybersecurity best proactive from board level.

LRQA’s VP of Cyber in the Asia Pacific Region, Tim Percival comments:

"The new requirements from MAS TRM are a step in the right direction for any financial services based organisation. For too long, third party companies, including vendors with proprietary software have had too much freedom within systemically linked organisations infrastructure. With the new TRM guidelines, there will be much more focus on protecting organisations from being breached, as a consequence of the organisations they trust the most i.e. their technology partners and suppliers."

Having worked with a number of large global financial institutions over the past decade, LRQA strongly believes that one of the most significant vulnerabilities to data security is presented through people. As such, many financial organisations benefit from implementing Security Awareness Training with the overarching aim of helping to protect an organisation's data asset.

What’s more, as we see an increase in remote workers across the financial sector in relation to the ongoing pandemic, organisations and their workers are put at further risk of being targeted by cyber criminals. For more information on the increased cyber-risks related to remote working, download our free resource.

Further Support

With a dedicated team on the ground in Singapore, LRQA have a wealth of experience in the financial sector and have helped organisations across South East Asia to meet the requirements of financial frameworks such as AASE, iCAST and the latest version of the TRM guidelines.

If you have any concerns about the latest requirements from MAS, please don’t hesitate to get in touch with a member of our dedicated team.