Preventing Cyberattacks in Finance: MAS Guidelines and Proactive Measures

Overview

In order to sustain cyber resilience and trust in the financial system, the Monetary Authority of Singapore (“MAS”) has been focusing increasingly on cyber security by emphasising on business continuity, technology risk management as well as oversight on outsourcing.

A successful cyberattack can cause major damage to the regulatory regime, such as loss of reputation and confidence from global investors, customers, and stakeholders. The nature of cyberattacks varies widely, from simple data breaches, Distributed Denial of Service (“DDoS”) to major ransomware attacks.

Due to the increasing frequency, complexity, and audacity of cyber-attacks, MAS has started to issue various notices, information papers and guidelines to Fund Managers to mitigate cybersecurity risk through prevention strategies and adoption of best practices.

Recent incidents

It was reported on April 9, 2024, that law firm Shook Lin & Bok was hit by a ransomware attack by the Akira ransomware group, which was ultimately settled and paid in Bitcoin amounting to US$ 1.4m.

On November 9, 2023, China’s biggest lender, the Industrial and Commercial Bank of China (“ICBC”), US arm was hacked by the Lockbit ransomware group, resulting in a company-wide blackout. The hack was so extensive that corporate email ceased to function. The blackout resulted in ICBC, US arm temporarily owing BNY Mellon US$9 billion, an amount many times larger than its net capital. ICBC ultimately paid an undisclosed amount to Lockbit, in order to resume operation.

In the same month of Nov 2023, the Lockbit ransomware group claimed an attack on the law firm Allen & Overy. which suffered a “data incident impacting a small number of storage servers".

A number of other high-profile companies was also attacked in 2023. Companies which were not prepared had to resort to manual processes, which severely impacted their daily operations.

As advice by the Singapore Police Force (“SPF”), and the Cyber Security Agency of Singapore (CSA”), companies should report any incidents to the SPF and CSA’s Singapore Cyber Emergency Response Team immediately and are strongly discouraged to pay the ransom.

Preventive measures

MAS has been issuing various Guidelines, Information papers and FAQs to educate and reinforce licenced Fund Manager on the importance of Outsourcing (October 2018, December 2023), Technology Risk Management “TRM” (January 2021, February 2024) and Business Continuity Management “BCM” (June

2022) to name a few.

Below are the few key important technology related factors to take note, as well as preventive measures to consider implementing:

1. All licenced Fund Managers must meet the new BCM Guidelines and establish a BCM audit plan and conduct the Company’s first BCM audit by June 30, 2024

2. Identifying of Material Outsourcing vendors, and ensure alternative backup sites are in place

3. Proper due diligence on IT professional vendors, to ensure resources, competency, type systems used and their data resilience policy

4. Enforcement of data and network security through firewall, user access control, virtual private network (“VPN”), Remote Browser Isolation service etc

5. Mobile device management

6. Encryption

7. Technology security assessment such as vulnerability assessment, penetration test, business continuity exercises Kai Global Consulting Pte Ltd

Summary

Technological innovation and advancement are rapidly transforming the financial sector. Digital transformation increases the operational efficiency, expands the options and accessibility of information to users but also increases the exposure to cyber risks. Cyberattacks are becoming increasingly frequent and sophisticated, causing significant harm to both businesses and government agencies.

MAS has identified cyber security as one of the six key focus areas1 and emphasized that every financial institution plays an important role towards building and ensuring a cyber resilient financial sector. The MAS

Cyber Security Advisory Panel (CSAP) was also formed in 2017 to advises on strategies for MAS and financial institutions in Singapore to sustain cyber resilience and trust in our financial system.

The Guidelines on Technology Risk Management contains extensive information to provide a general guidance to financial institutions on the adoption of sound and robust practices for the management of technology risk. Financial institutions shall however, implement the Guideline to the extent and degree that commensurate with their level of risk and complexity.

How we can help

At Kai Global, we partner with various IT specialist firms, to assist you in understanding of your IT security, performing GAP analysis, and proposing action plans to achieve your IT resilience and data protection objectives