MAS offers guidance on mitigating supply chain threats
Monetary Authority of Singapore revises its technology risk management guidelines to help the financial sector guard against supply chain attacks
Singapore’s central bank has revised its technology risk management guidelines to help the financial sector guard against supply chain attacks, which have been getting more prevalent and dangerous.
In a statement, the Monetary Authority of Singapore (MAS) said the revised guidelines focus on addressing technology and cyber risks in an environment of financial institutions’ growing use of cloud technologies, application programming interfaces (APIs) and agile software development.
The revised guidelines, among others, will require financial institutions to assess and manage their exposure to technology risks that may affect the confidentiality, integrity and availability of the IT systems and data at third-party IT service providers.
They should also ensure their IT service providers employ a high standard of care and diligence in protecting data confidentiality and integrity, as well as ensuring system resilience. Background checks should also be conducted on third-party personnel who have access to a financial institution’s systems and data.
Just as critical in mitigating supply chain attacks is the security of APIs, which are being used by financial technology (fintech) startups to deliver products and services in collaboration with financial institutions.
The MAS said a well-defined vetting process should be implemented for assessing third parties’ suitability in connecting to the financial institution via APIs, as well as governing third-party API access. The vetting criteria should consider factors such as the third party’s nature of business, cyber security posture, industry reputation and track record.
Financial institutions should also perform a risk assessment before allowing third parties to connect to their IT systems via APIs and ensure the implementation for each API is commensurate with the sensitivity and business criticality of the data being exchanged, and the confidentiality and integrity requirements of the data.
Finally, security standards for designing and developing secure APIs should be established. These standards should include measures to protect the API keys or access tokens that are used to authorise access to APIs to exchange confidential data.
Read more about cyber security in ASEAN
- The Singapore government is baking security into the design and implementation of its IT systems and looking to increase bug bounties to fend off cyber threats.
- Southeast Asian unicorn Grabis tapping artificial intelligence and other technologies to keep its users safe and cyber criminals at bay.
- A renowned ethical hacker in Malaysia has called for more nations to support the Paris Call for Trust and Security in Cyberspace to counter the threat of cyber warfare.
- Some aspects of cyber security have taken a backseat as companies across the Asia-Pacific region rush to shore up their infrastructure to cope with the demands of remote work.
The MAS also weighed in on the recent attack on multiple IT service providers through the exploitation of SolarWinds’ network management software, noting that it was a clear indication of a worsening cyber threat environment.
Against this backdrop, the revised guidelines require financial institutions to establish a robust process for the timely analysis and sharing of cyber threat intelligence within the financial ecosystem, and to conduct cyber exercises enabling them to stress-test their cyber defences.
Stella Cramer, head of technology and innovation in Asia Pacific at global law firm Norton Rose Fulbright, said the measures recommended in the guidelines are good practice and most will already be part of the standard operating procedures at larger financial institutions.
Even though the guidelines spell out measures to mitigate cyber threats, Cramer told Computer Weekly that financial institutions can still make assessments of the appropriate access controls they will implement for particular systems based on the criticality of those systems and the sensitivity of information.