Last updated: 03 December 2018
Why financial institutions should adapt a data-centric approach for compliance obligations
Last September my colleague Alex Tay tackled the state of cybersecurity in Singapore and reasons for critical information infrastructure (CIIs) sectors to comply with the recent mandates from the Cyber Security Agency (CSA). As one of the 11 CIIs covered under Singapore’s cybersecurity bill, the banking and finance sector isn’t exempt to the new regulatory mandates for compliance—in fact, the Monetary Authority of Singapore (MAS) recently tightened cybersecurity rules to further protect their IT systems. How will the financial sector cope with compliance considering today’s ever-evolving guidelines, rules, and its various interpretations?
Legally-binding cybersecurity regulations strengthened for FIs
In a move to tighten cybersecurity rules and framework for financial institutions, the Monetary Authority of Singapore (MAS) proposed to make six (6) essential cybersecurity measures legally binding on top of the existing measures in place. These measures are meant to serve as a baseline hygiene standard for cybersecurity according to the MAS Technology Risk Management guidelines, in addition to enhancing the security of financial institutions’ systems and networks, and its resiliency to cyber attacks.
As indicated on the MAS website, financial institutions (FIs) are ordered to comply with the following cybersecurity measures:
• Address system security flaws in a timely manner
• Establish and implement robust security for systems
• Deploy security devices to secure system connections
• Install antivirus software to mitigate the risk of malware infection
• Restrict the use of system administrator accounts that can modify system configurations
• Strengthen user authentication for system administrator accounts on critical systems
With more financial processes today being done digitally, what does this mean for FIs in the face of increasing cyber attacks?
Understanding the demands of compliance
Cyber attacks and data breaches are often a result of unsecured or faulty system configurations. The proposed measures outline a “clear and common cybersecurity waterline” to increase readiness and response for FIs to address persistent cybersecurity issues.
Mitigating risks, however, is no easy task. Over the past years, the needs of IT systems, too, continue to evolve along with the increasing number of infrastructure and assets that need to be protected. As part of compliance with cyber hygiene requirements, the draft notice by the MAS mandates additional measures to enhance the security of administrative accounts—namely, to keep records of all administrative accounts; implement strong password controls; and to give access to administrative accounts to only authorized staff. As an added measure, we believe that relevant entities should enact a separation of duties policy to prevent insider attacks. This type of policy will effectively allow system administrators to carry out their administrative tasks without having access to sensitive stored information. We recommend implementing the M of N control policy to administrative functions of critical resources, which prevent a single administrator from making unauthorized critical changes.
Another important point to understand in the proposed mandate is the MAS’s requirement to enhance security standards in relation to its configuration and procedures. According to the draft notice, its measures include compliance with security standards established by relevant entities and taking steps to reduce any sort of risk. For FIs to meet this audit requirement, we recommend that relevant entities adopt the right authentication methods to address machine-to-machine or application-to-application transactions.
Furthermore, digital identities (private keys) and digital signatures can be used in conjunction with multi-factor authentication (MFA) to play a role in the fight against cybercrime. To enhance the effectiveness of MFA, entities should adopt risk-based authentication, which uses continuous passive behavioral biometrics and context-based signals to analyze the authenticity of transactions in real time.
Understanding these compliances and regulations as stipulated in the MAS notice is crucial to strengthen financial services’ security posture while providing convenience to all end users and customers alike.
Applying a data-centric approach to compliance
Cybersecurity still very much remains a persistent theme in the history of financial regulation despite having regulations in place to address current security concerns in the financial industry. Early this year, MAS managing director, Ravi Menon, emphasized the financial losses brought about by AI-enabled malware to infiltrate banks across the world, moving cyber risk management “front and center of the international regulatory agenda.”
No matter what the affected industry is or how old and new the government mandates are, the pressure, effort, and cost required to achieve and sustain compliance remains.
We believe that implementing an infrastructure to support, manage, and enforce policy is the most effective approach for meeting compliance regulations and passing audits. Our suite of SafeNet Identity and Data Protection solutions aid in meeting compliance obligations, whether you’re facing an audit or applying new regulations.
Implementing an infrastructure to centrally support, manage, and enforce policy is key. At Gemalto, we can help build compliance infrastructures to avoid data security creep and silos with components like role-based access control, enterprise key management, and our data encryption services. Data ownership is becoming a gray area—but you can rest assured that our solutions will enable you to securely manage and store sensitive data in the event of a breach.
Find your path to data compliance now. Contact me or leave a comment below if you’d like to hear more about our data compliance solutions.