This article is part of our Essential Guide: Essential Guide: How APAC firms can ride out the pandemic

MAS offers guidance on mitigating supply chain threats

Monetary Authority of Singapore revises its technology risk management guidelines to help the financial sector guard against supply chain attacks

Singapore’s central bank has revised its technology risk management guidelines to help the financial sector guard against supply chain attacks, which have been getting more prevalent and dangerous.

In a statement, the Monetary Authority of Singapore (MAS) said the revised guidelines focus on addressing technology and cyber risks in an environment of financial institutions’ growing use of cloud technologies, application programming interfaces (APIs) and agile software development.

The revised guidelines, among others, will require financial institutions to assess and manage their exposure to technology risks that may affect the confidentiality, integrity and availability of the IT systems and data at third-party IT service providers.

They should also ensure their IT service providers employ a high standard of care and diligence in protecting data confidentiality and integrity, as well as ensuring system resilience. Background checks should also be conducted on third-party personnel who have access to a financial institution’s systems and data.

Just as critical in mitigating supply chain attacks is the security of APIs, which are being used by financial technology (fintech) startups to deliver products and services in collaboration with financial institutions.

The MAS said a well-defined vetting process should be implemented for assessing third parties’ suitability in connecting to the financial institution via APIs, as well as governing third-party API access. The vetting criteria should consider factors such as the third party’s nature of business, cyber security posture, industry reputation and track record.

Financial institutions should also perform a risk assessment before allowing third parties to connect to their IT systems via APIs and ensure the implementation for each API is commensurate with the sensitivity and business criticality of the data being exchanged, and the confidentiality and integrity requirements of the data.

Finally, security standards for designing and developing secure APIs should be established. These standards should include measures to protect the API keys or access tokens that are used to authorise access to APIs to exchange confidential data.

Read more about cyber security in ASEAN

The MAS also weighed in on the recent attack on multiple IT service providers through the exploitation of SolarWinds’ network management software, noting that it was a clear indication of a worsening cyber threat environment.

Against this backdrop, the revised guidelines require financial institutions to establish a robust process for the timely analysis and sharing of cyber threat intelligence within the financial ecosystem, and to conduct cyber exercises enabling them to stress-test their cyber defences.

Stella Cramer, head of technology and innovation in Asia Pacific at global law firm Norton Rose Fulbright, said the measures recommended in the guidelines are good practice and most will already be part of the standard operating procedures at larger financial institutions.

Even though the guidelines spell out measures to mitigate cyber threats, Cramer told Computer Weekly that financial institutions can still make assessments of the appropriate access controls they will implement for particular systems based on the criticality of those systems and the sensitivity of information.

Read more on Endpoint security

Data Center
Data Management