The MAS noted that increased used of cloud technologies, application programming interfaces, and rapid software development by financial institutions (FIs) need to be matched with appropriate cyber risks management strategies.
The goal emphasizes the importance of incorporating security controls as part of FIs’ technology development and delivery lifecycle, as well as in the deployment of emerging technologies.
The update is also in response to the spike in cyberattacks against supply chains, which targeted multiple IT service providers through the exploitation of widely used network management software.
The guidelines call for the implementation of a robust process for the timely analysis and sharing of cyber threat intelligence within the financial ecosystem. Also, it requires FIs to conduct stress testing of cyber defences by simulating the attack tactics, techniques, and procedures used by real-world attackers.
The MAS is putting the onus on FIs to exercise strong oversight of arrangements with third party service providers, to ensure system resilience as well as maintain data confidentiality and integrity.
It also places accountability to hire experienced CIOs and CISOs who will be held accountable for managing technology and cyber risks.
In a press release, Tan Yeow Seng, chief cyber security officer, MAS, said technology is part of most financial services operations. He added that as FIs adopt new technologies they are also relying more on third party service providers.
In lieu of these, “the revised Guidelines set out MAS’ higher expectations in the areas of technology risk governance and security controls in financial institutions,” he explained.
Boris Cipot, senior security engineer at Synopsys Software Integrity Group noted that the revised guidelines define the profile of the partner or supplier FIs would work with. He cautioned that the revisions may affect the supplier’s internal processes and workflow. It might also be time consuming to reach compliance. He raises concern that these new rules might also cause problems for the company and how their technologies work.
Jagdish Mahapatra, managing director (Asia), CrowdStrike, said many companies are continuing to operate a remote working model, which comes with its own set of challenges and exposes companies to vulnerabilities in their IT systems.
He added while this is definitely a step in the right direction when it comes to safeguarding businesses’ cybersecurity, corporates and organisations themselves must keep vigilant of potential attacks on their systems and implement processes to prevent, detect and respond to threats with speed and agility.
"Companies can start by adopting a strong defensive posture by ensuring that remote services, VPNs and multifactor authentication solutions are fully patched and properly integrated, before incorporating other prevention tools,” Mahapatra concluded.