The Monetary Authority of Singapore (MAS) has revised its Technology Risk Management Guidelines* to keep pace with emerging technologies and shifts in the cyberthreat landscape. The recent spate of cyberattacks on supply chains, which targeted multiple IT service providers through the exploitation of widely-used network management software, is a clear indication of a worsening cyberthreat environment, MAS said.
The Technology Risk Management Guidelines are a set of best practices that provide financial institutions (FIs) with guidance on the oversight of technology risk management, practices and controls to address technology and cyber risks. An institution's observance of the guidelines is taken into account when MAS conducts risk assessment of FIs.
The guidelines reinforce the importance of incorporating security controls as part of FIs’ technology development and delivery lifecycle, as well as in the deployment of emerging technologies. The revised guidelines** address technology and cyber risks in an environment of growing use by of cloud technologies, application programming interfaces (APIs), and rapid software development.
The revised guidelines set out the following enhanced risk mitigation strategies for FIs:
• To establish a robust process for the timely analysis and sharing of cyberthreat intelligence within the financial ecosystem; and
• To conduct cyber exercises to allow FIs to stress test their cyberdefences by simulating the attack tactics, techniques,and procedures used by real-world attackers.
In light of FIs’ growing reliance on third-party service providers, the revised guidelines set out the expectation for FIs to exercise strong oversight of arrangements with third-party service providers, to ensure system resilience as well as maintain data confidentiality and integrity, MAS said.
The revised guidelines provide additional guidance on the roles and responsibilities of the board of directors and senior management:
• The board and senior management should ensure that a Chief Information Officer (CIO) and a Chief Information Security Officer (CISO), with the requisite experience and expertise, are appointed and accountable for managing technology and cyber risks; and
• The board should include members with the relevant knowledge to provide effective oversight of technology and cyber risks.
Tan Yeow Seng, Chief Cyber Security Officer, MAS, said, “Technology now underpins most aspects of financial services. Not only are financial institutions adopting new technologies, they are also increasingly reliant on third-party service providers. The revised guidelines set out MAS’ higher expectations in the areas of technology risk governance and security controls in financial institutions.
MAS is likely referencing a wide-ranging December cyberattack which made use of SolarWinds technology.
Joanne Wong, VP, International Markets, LogRhythm, commented: “The recent SolarWinds incident will go down as one of the most consequential cyberattacks of the past decade, and serves as a firm reminder for anyone operating in the digital space to never let their guard down. Beyond more vigorous screening for external tech vendors, enterprises must take a more proactive stance to safeguard their operations. It is imperative that they maintain visibility over their entire network - including their trusted third-party vendor - to ensure they can identify and remediate threats with speed. After all, as the cyber threatscape continues to evolve, no one can afford to be sitting ducks for the next big attack.”
*The guidelines should be read in conjunction with the Notice on Technology Risk Management and Notice on Cyber Hygiene.
**The revisions incorporate feedback received from a public consultation conducted in 2019, MAS’ engagement with the industry, and from MAS’ Cyber Security Advisory Panel (CSAP). The CSAP, which was formed in 2017, comprises leading cybersecurity experts and thought leaders from around the world. The panel advises MAS on strategies to enhance cyber resilience in the financial system.
No comments:
Post a Comment