Monetary Authority of Singapore (MAS) proposes ways to enhance financial sector cyber resilience
The Cyber Security Advisory Panel (CSAP) of the Monetary Authority of Singapore (MAS) provided insights and suggestions on how Singapore’s financial sector can harness the benefits of new technologies while remaining cyber resilient. At its second annual meeting chaired by Mr Ravi Menon, Managing Director, MAS, the international panel also provided advice on MAS’ own cyber resilience strategies.
CSAP members shared their views on the growing adoption of new technologies, emerging user authentication methods for online financial services, and the use of open application programming interfaces (APIs) by financial institutions (FIs). They also discussed MAS’ roadmap on initiatives to expand its cyber intelligence coverage, reinforce protection capabilities, reduce time to recover from incidents, and develop cyber security talent.
Public cloud services and APIs
Public Cloud Services – FIs are increasingly using public cloud services for cost savings, system scalability, and speed to market. CSAP members suggested that small and medium sized FIs, given their limited resources and capabilities, can improve their cybersecurity posture by using reputable cloud solution providers that have strong cybersecurity capabilities.
CSAP members acknowledged concerns about concentration risks arising from a growing number of financial services relying on a limited pool of cloud service providers. In particular, FIs should implement measures to secure data stored on the cloud and their network connections to the cloud service provider. Members also said that cloud service providers should provide greater transparency to their customers on how they implement security measures to protect their systems and information.
APIs – FIs are actively making their APIs available to third parties such as service providers and business partners to enrich the quality and customisation of their financial services. As APIs expose FIs to higher risks of cyber threat, CSAP members proposed measures which FIs may adopt when embarking on their open API journey. These measures include performing risk assessment of the third parties using their APIs and monitoring activities related to API services for suspicious events.
The CSAP met representatives from the Standing Committee on Cyber Security from The Association of Banks in Singapore, The Life Insurance Association Singapore, and The General Insurance Association of Singapore. The industry associations had candid exchanges with the panel on the benefits that FIs can reap from employing artificial intelligence and machine learning to augment their cyber defence capabilities. The CSAP also highlighted the usefulness of identifying vulnerabilities through bug bounty programmes and “red-teaming” and recommended FIs to consider adopting these as part of their security testing frameworks.
Bug bounty programmes are initiated by organisations to reward individuals for discovering and reporting vulnerabilities on their systems without fear of legal repercussions. Red-teaming is the use of a red-team (i.e. a team of ethical hackers) to continuously test for weaknesses in an organisation’s people, processes and technology by adopting a hacker’s mind-set.