Jurisdiction - Singapore
Reports and Analysis
Singapore – Financial Institutions To Be Ready To Comply With Notices On Technology Risk Management.

20 June, 2014

 

 

The Monetary Authority of Singapore (“MAS”) has issued Circular No. SRD TR 01/2014 on system vulnerability assessments and penetration testing. The Circular reminds financial institutions (“FIs”) that they are expected to implement robust security measures to ensure that their systems and data are well protected against any breach or loss. The reminder is timely in view of the upcoming deadline of 1 July 2014 when MAS’ various Notices on Technology Risk Management (“Notices”) come into effect. This Update reviews the requirements imposed under the Notices.

 

Critical Systems

 

The Notices impose two main duties on all FIs:

 

  • To make all reasonable effort to maintain high availability forcritical systems; and
  • To protect customer information from unauthorised accessor disclosure.

By 1 July 2014, FIs will have to have in place measures to comply with these two separate requirements.

 

FIs will need to have identified which of their systems are critical systems, and which of their systems contain customer information. As defined in the Notices, a critical system is one the failure of which will:

 

  • cause significant disruption to the operations of the bank; or
  • materially impact the bank’s service to its customers.

 

These include, but are not confined to, systems which process transactions that are time critical or which provide essential services to customers. The Notices do not define what is meant by “significant disruption”, “materially impact”, “time critical”, or “essential”. However, they do stipulate the following standards for ensuring high availability of an FI’s critical systems:

 

  • The maximum unscheduled downtime for each critical system that affects an FI’s operations or service to its customers must not exceed a total of four hours within any period of 12 months.
  • FIs are required to establish a recovery time objective of not more than four hours for each critical system.

 

These suggest that the scale of impact should be measured in terms of seconds and minutes rather than anything longer. Consequently, the more extensive the bank’s services for just-in-time, real time, and 24/7 systems, the more systems are likely to be regarded as critical systems.


Customer Information

 

The FAQs do note that not all FIs will have systems that fall under the definition of “critical systems”. However, all FIs will store customer information. This is defined in the FAQs as “information held by the FI that relates to its customers and these include customers’ accounts, particulars, transaction details, and dealings with the FI”. The definition is broad and is not confined to information that will allow a customer to be identified.

 

Circular No. SRD TR 01/2014 states that FIs’ security measures should include the following:

 

  • Vulnerability assessments: FIs should continuously monitor for emergent security exploits, and perform regular vulnerability assessments of their IT systems against common and emergent threats;
  • Penetration testing: FIs should perform penetration tests at least annually on their internet facing systems; and
  • Timely remediation: FIs should establish a process to effectively remedy issues identified from the vulnerability assessments and penetration testing in a timely manner.

 

It is also useful to highlight the overlap with the obligations under the Personal Data Protection Act (“PDPA”), section 24 of which provides that an organisation must “protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks”. This section will come into force on 2 July 2014. While the MAS is currently consulting on proposed amendments to the MAS Notices on Prevention of Money Laundering and Countering the Financing of Terrorism to clarify FIs’ obligations in relation to the PDPA, the obligations under section 24 are not affected by this consultation.


Obligation To Report

 

Under the Notices, FIs will need to have in place systems and protocols to detect and identify system malfunctions and security breaches. Where a malfunction or breach has a severe and widespread impact on the bank’s operations or materially impacts the bank’s service to its customers, FIs will need to notify the MAS of its occurrence within one hour from its discovery. It will also have to submit a root cause and impact analysis report to the MAS within 14 days from its discovery. Over and above any technical information on the incident that the report must contain, it should also cover a description of its impact on the FI’s compliance with laws and regulations applicable to it, its operations, and its service to its customers.

 

A failure to comply with the Notices may attract a fine, a termination of licence, and other sanctions. The impact of these requirements is widespread, as the definition of financial institutions is broad.

 

wongpartnershiplogo

 

For further information, please contact:

 

Chung Nian Lam, Partner, WongPartnership

[email protected]


Jeffrey Lim, Partner, WongPartnership
[email protected]

 

WongPartnership Banking & Finance Practice Profile in Singapore

 

Comments are closed.