Cyber Resilience Initiative: Monetary Authority of Singapore

High-profile cyber attacks on financial institutions have focused regulators’ attention on the need to strengthen cyber security frameworks. Recently, more central banks have created specific regulatory and supervisory initiatives on banks’ cyber risks. But very few have specific regulatory requirements.

In 2019, the Monetary Authority of Singapore (MAS) became one of the first regulators to issue baseline requirements for what it termed ‘cyber hygiene’. “According to research, around 80% of cyber breaches are due to gaps in fundamental IT security controls,” says Vincent Loy, assistant managing director, technology. Issuing the rules elevated guidance on the most essential IT security controls to form legally binding requirements, he adds.

The central bank identified six elements financial firms must follow to reduce the risk of cyber threat: ensuring robust security for IT systems, ensuring systems flaws are fixed quickly, deploying security devices to restrict unauthorised network traffic, working to prevent malware infections, securing system accounts with special privileges and strengthening user authentication.

The rules will support MAS’s comprehensive approach to cyber security, which includes conducting industry-wide business continuity exercises with a focus on cyber theme and scenarios. These exercises serve to test financial institutions’ readiness to respond to and recover from large-scale cyber attacks within the financial sector.

Financial institutions are also expected to conduct penetration tests at least annually – and MAS has liaised with the financial sector to conduct industry-level penetration tests and red-teaming exercises to test cyber resilience.

MAS is also one of the first central banks to conduct bespoke cyber stress tests of the firms it regulates. “MAS previously conducted a cyber stress test in 2016 based on a scenario involving simultaneous hacking attacks on financial institutions,” Loy says.

Building on the 2016 exercise, in 2019 MAS conducted a stress test with assessors from the International Monetary Fund. Loy explained that this allowed MAS to explore the direst cyber scenarios. Firms were stressed under two scenarios: the first featured a direct cyber attack, while the second involved an attack on an external provider relied on heavily by the tested firm.

In line with traditional stress tests, MAS measured whether financial firms would maintain enough capital following a cyber attack. Banks start the tests with an aggregate capital adequacy ratio of 17%. The tests revealed that banks in Singapore could incur costs as high as 65% of quarterly profits in the event of a cyber attack.

Insurance firms were also tested during the exercise. “The exercise was useful in identifying exposure of non-affirmative coverage, and direct insurers have since put risk mitigation actions in place,” says Loy.

Since the 2019 scenario, MAS is considering whether to integrate cyber risks into its future thematic stress tests to encourage financial institutions to further develop risk management expertise in this area.