The rules goal to advertise the adoption of strong practices for managing know-how dangers within the monetary sector.
On 18 January 2021, the Financial Authority of Singapore (the MAS) issued revised guidelines (the Pointers) to take into consideration the fast-changing cyber menace panorama and monetary establishments’ elevated reliance on cloud applied sciences, software programming interfaces (APIs), and fast software program growth. The Pointers apply to all banks, fee companies corporations, and brokerage and insurance coverage corporations.
The Pointers, which grew to become efficient instantly on the date of problem, goal to assist monetary establishments by offering them a framework of finest practices for overseeing know-how danger governance, practices, and controls to deal with know-how and cyber dangers. The Pointers usually are not meant to be exhaustive or prescriptive, and have included suggestions obtained from the general public session performed in 2019.
The next key modifications had been launched.
- The board of administrators and senior administration of economic establishments are liable for implementing an acceptable danger administration framework and inside controls. They need to be concerned in key IT choices which will change the monetary establishment’s danger urge for food and technique, together with vetting and approving key know-how and cybersecurity appointments.
- Monetary establishments ought to undertake requirements on safe coding, supply code evaluate, and software safety testing to stop software program bugs and vulnerabilities from being exploited. For instance, monetary establishments ought to:
- Guarantee their software program builders are skilled to use these requirements when creating functions
- Use a mix of safety testing strategies to validate the safety of the software program software
- Undertake safe software program growth finest practices when utilizing Agile growth strategies
- Monetary establishments ought to vet third events which have entry to their APIs by contemplating elements corresponding to the character of their enterprise, cybersecurity posture, business fame, and observe document. Monetary establishments must also set up safety requirements for creating safe APIs and undertake robust encryption requirements and key administration controls to safe the transmission of delicate information.
- Monetary establishments ought to guarantee IT audits give the board of administrators an impartial and goal opinion of the adequacy and effectiveness of their danger administration and inside controls relative to their present and rising know-how dangers.
- Monetary establishments ought to develop complete information loss prevention insurance policies and undertake measures to reinforce operational infrastructure safety. For instance, they need to make sure that confidential information is saved in databases, and that encrypting methods and endpoint units are protected by robust entry controls.
- Monetary establishments ought to set up a strong course of for the well timed evaluation and sharing of cyber menace intelligence with trusted events, in addition to for conducting common cyber safety assessments workouts to permit monetary establishments to emphasize take a look at cyber defences.
Monetary establishments ought to fastidiously evaluate the Pointers and make changes based mostly on the size, nature, and complexity of their enterprise. The Pointers present normal steering that expounds on the obligatory necessities set out within the MAS Discover on Expertise Threat Administration, with out intending to interchange or override any legislative provisions. The Pointers mirror the MAS’ expectations for know-how danger administration and safety controls in monetary establishments, however are to not be thought to be a press release of the usual of care owed by monetary establishments to their shoppers.
This text is made out there by Latham & Watkins for instructional functions solely in addition to to offer you normal data and a normal understanding of the regulation, to not present particular authorized recommendation. Your receipt of this communication alone creates no lawyer shopper relationship between you and Latham & Watkins. Any content material of this text shouldn’t be used as an alternative choice to competent authorized recommendation from a licensed skilled lawyer in your jurisdiction.