The SolarWinds cyberattack has affected almost all the sectors around the globe. Taking into account the outreach and aftermath of the attack, the Monetary Authority of Singapore (MAS) has issued a new set of rules for effective tech risk management that came into effect on January 18, 2021. According to the MAS directives, all financial services and e-payment service providers must adhere to the new set of central banking rules.
What was the Need?
The MAS has strict control over all the financial firms providing services in Singapore. However, the SolarWinds attack was an eyeopener to the agency. During the SolarWinds cyberattack, cybercriminals compromised a third-party firm and gained access into the target’s mainframe. Government networks like the U.S. Department of Treasury, the U.S. Department of Commerce, and the National Nuclear Security Administration (NNSA), and even tech giants like Microsoft and FireEye were not spared. Thus, the third-party service provider was a free pass gateway, which was a threat in the first place. MAS wants to mitigate this flaw and has made effective modifications to the rules.
MAS’s New Rules for Tech Risk Management
Previously, MAS did not mandate the assessment of third-party service providers and vendors. However, now MAS requires all financial firms, including e-payment providers, brokerage, and insurance providers, to assess the suppliers and third-party products and software of their technology partner/vendors. Suppliers may need to prove their software is rigorously tested and that they do not fall short on exercising best practices in their programming. Additionally, the new rules also provide a right to ask the suppliers to reveal their security measures and the frequency of their cyber risk monitoring.
Risks from third-parties keep increasing by the day as newer technologies and the need to integrate them arises. For example, the usage of APIs for daily banking and payment services is now very important. Without APIs, online customers will not be able to make any payments on e-commerce websites or apps. However, payment gateways can act as a threat vector as well. MAS now wants to stop the compromise by strictly asking the vendors to secure the development of their APIs and encrypt sensitive data transmitted to prevent leaks or hackers injecting malicious codes into their APIs.
Other Inclusions in the Risk Management Rules
MAS has recorded a tremendous growth in mobile application usage and BYOD devices. Owing to this, it has also issued guidelines for the testing and mitigation of mobile device or application management. This mainly includes:
- Static Application Security Testing
- Dynamic Application Security Testing
- Interactive Application Security Testing
- Fuzzing or Fuzz Testing
- Mobile Device or Application Management