Singapore MAS Compliance and Cybersecurity
The Monetary Authority of Singapore (MAS) imposes various data protection and cybersecurity
regulations on financial institutions operating in Singapore and other entities that it regulates.
It has broad powers to conduct and enforce these regulations, conduct relevant
investigations and impose penalties for compliance failures.
What are MAS cybersecurity regulations and what do they mean for your business?
The Monetary Authority of Singapore (MAS) is Singapore’s central bank and financial regulatory authority. MAS regulates and supervises deposit-taking institutions in Singapore, including full service banks, wholesale banks, merchant banks, insurers and financial services companies.
ImmuniWeb can help you comply with Singapore MAS cybersecurity and data protection requirements. How We Help
The primary data protection law in Singapore is the Personal Data Protection Act (PDPA), which establishes a comprehensive regime for personal data protection enforceable by the Personal Data Protection Commission (PDPC). However, in addition to the overarching data protection regime, the MAS plays a vital role in policing cybersecurity and data protection of financial institutions by issuing mandatory notices and advisory guidelines.
All financial institutions doing business in Singapore should be aware of the following cybersecurity documents issued and periodically updated by the MAS:
- Notice 655 on Cyber Hygiene
- Notice 644 on Technology Risk Management
- Technology and Risk Management (TRM) Guidelines
The above documents set out a variety of data protection requirements and best practice policy for banks and financial institutions, including regular risk assessments, development and maintenance of security policies, implementation of secure coding practices, regular security testing, vendor and third-party risk management, software and patch management, malware protection, fraud monitoring and incident response.
Additionally, the MAS Cyber Security Advisory Panel (CSAP) provides best practice guidelines in the face of an evolving technology and cyber threat landscape, with practical advice for financial institutions in Singapore.
It’s worth noting that there is a Memorandum of Understanding on Cybersecurity Cooperation between Singapore’s MAS and the US Treasury, which has been in place since 2021. In 2023, the two parties carried out a cross-border cybersecurity exercise which “allowed both agencies to test and strengthen existing protocols for information exchange and incident response coordination for cyber incidents involving banks operating in both jurisdictions.”
What are the penalties for violations of MAS cybersecurity regulations?
Under the provisions of the Banking Act, the MAS can impose financial penalties of up to 100,000 SGD. An additional daily fine of 10,000 SGD can be levied for any continued violations.
Section 29 of the Financial Services and Markets Act (FSMA) imposes a higher level of maximum penalty of 1 million SGD for any financial institution which fails to comply with any relevant regulations issued by the MAS in relation to the “management of technology risks, including cyber security risks” and “a further fine of [100,000 SGD] for every day or part of a day during which the offence continues after conviction”.
What are the security requirements under the MAS cybersecurity regulations?
The most detailed MAS document dedicated to cybersecurity is entitled “Technology and Risk Management (TRM) Guidelines” and comprises 15 detailed sections and multiple subsections. These guidelines establish a risk-based cybersecurity management framework including information security policies and procedures. The guidelines encourage companythe directors and senior management to directly participate in organizational cybersecurity strategies, alluding to their direct responsibility and accountability for any eventual security failures.
Section 6 (“Software Application Development and Management”) of the guidelines addresses application security, and Subsection 6.1.6 says that “a comprehensive strategy to perform application security validation and testing” is essential for financial institutions.
Subsection 6.1.7 points out that “Major issues and software defects should be remediated before production deployment.” The security of APIs and web services is expressly addressed in Subsection 6.4.6 which notes “robust security screening and testing of the API should be performed […] before it is deployed into production.”
Section 12 (“Cyber Security Operations”) provides a multifaceted framework to establish a continuous threat intelligence and cyber incident monitoring strategy. There is a particular emphasis on inclusive and holistic log monitoring, explained in Subsection 12.2.5 which suggests “Correlation of multiple events registered on system logs should be performed to identify suspicious or anomalous system activity patterns.”
Regular security testing is separately addressed in Section 13 (“Cyber Security Assessment”) that imposes recurrent penetration testing and vulnerability assessments. As stipulated in Subsection 13.1.2, the scope of vulnerability assessments should “minimally include vulnerability discovery, identification of weak security configurations, and open network ports, as well as application vulnerabilities.” The guidelines further provide a risk-based approach for penetration testing by suggesting its frequency be “determined based on factors such as system criticality and the system’s exposure to cyber risks” and setting a minimum threshold of “at least once annually or whenever these systems undergo major changes or updates.”
ImmuniWeb can help you comply with Singapore MAS cybersecurity and data protection requirements. How We Help
Do the MAS cybersecurity regulations impose third-party risk management?
The latest version of MAS guidelines expressly addresses third-party risk management and prevention of supply chain attacks in Section 5 (“IT Project Management and Security-by-Design”).
Subsection 5.3.1 says that financial institutions should “establish standards and procedures for vendor evaluation and selection” in a risk-based manner, noting that the “level of [vendor] assessment and due diligence performed should be commensurate with the criticality of the project deliverables.”
The MAS Cyber Security Advisory Panel has addressed third-party risk management as part of dealing with new financial sector cyber risks: “Managing concentration risks associated with critical third-party service providers. The panel called for harmonisation of cyber resilience standards globally and for financial authorities to work more closely together to engage public cloud service providers on their risk management controls and practices.”