Singapore’s central bank has revised its technology risk management guidelines to help the financial sector guard against supply chain attacks that have been getting more prevalent and dangerous.
In a statement, the Monetary Authority of Singapore (MAS) said the revised guidelines focus on addressing technology and cyber risks in an environment of growing use by financial institutions of cloud technologies, application programming interfaces (APIs), and agile software development.
The revised guidelines, among others, will require financial institutions to assess and manage their exposure to technology risks that may affect the confidentiality, integrity and availability of the IT systems and data at the third-party IT service providers.
They should also ensure that their IT service providers employ a high standard of care and diligence in protecting data confidentiality and integrity, as well as ensuring system resilience. Background checks should also be conducted on third-party personnel who have access to a financial institution’s systems and data.
Just as critical in mitigating supply chain attacks is the security of APIs which are being used by financial technology start-ups to deliver products and services in collaboration with financial institutions.
The MAS said a well-defined vetting process should be implemented for assessing third parties’ suitability in connecting to the financial institution via APIs, as well as governing third-party API access. The vetting criteria should consider factors such as the third party’s nature of business, cyber security posture, industry reputation and track record.
Financial institutions should also perform a risk assessment before allowing third parties to connect to its IT systems via APIs and ensure the implementation for each API is commensurate with the sensitivity and business criticality of the data being exchanged, and the confidentiality and integrity requirements of the data.
Finally, security standards for designing and developing secure APIs should be established. The standards should include the measures to protect the API keys or access tokens, which are used to authorise access to APIs to exchange confidential data.
The MAS also weighed in on the recent attack that targeted multiple IT service providers through the exploitation of SolarWinds’ network management software, noting that it was a clear indication of a worsening cyber threat environment.
Against this backdrop, the revised guidelines require financial institutions to establish a robust process for the timely analysis and sharing of cyber threat intelligence within the financial ecosystem; and to conduct cyber exercises to allow them to stress test their cyber defences.
Stella Cramer, head of technology and innovation in Asia Pacific at Norton Rose Fulbright, a global law firm, said that the measures recommended in the guidelines are good practice and most will already be part of the standard operating procedures at larger financial institutions.
Even though the guidelines spell out measures to mitigate cyber threats, Cramer told Computer Weekly that financial institutions can make still assessments of the appropriate access controls they will implement for particular systems based on the criticality of those systems and the sensitivity of information.
Recent Comments