Today in Cybersecurity: SG’s BCP & TRM Programs Revised
We have recently featured in our news report that Singapore has successfully held their second bug bounty program, in order for the city-state to increase cybersecurity defense. The Monetary Authority of Singapore (MAS) is behind the project of reforming the city-state’s Business Continuity Management (BCP) and Technology Risk Management (TRM). Changes to these policies will affect Singapore’s banking industry and financial institutions. This is for the goal of keeping cybersecurity issues at bay.
Under the proposed changes to BCP, stronger interdependence between financial institutions will be guaranteed. Cybersecurity surveillance will be implemented under the updated TRM policy, Singapore also, through the guidance of MAS will undergo simulation attacks and penetration testing, especially the most vulnerable device like IoT (Internet-of-Things).
“A cyber-attack can result in a prolonged disruption of business activities. Threats are constantly present and evolving in sophistication. We cannot afford to be complacent. Financial institutions must therefore remain vigilant and have in place effective technology risk management practices and robust business continuity plans to ensure prompt and effective response and recovery,” explained Tan Yeow Seng, Chief Cyber Security Officer for MAS.
Both BCP and TRM were designed six years ago, in 2013 and in very much due for revision at the wake of Singapore’s episode of a data breach last year with Singhealth in 2018.Financial institutions are ordered to “monitoring capabilities that will enable prompt detection of reduced or intermittent service availabilities and clearly articulate triggers for the activation of contingency plans (e.g. fail over to a secondary data centre). These triggers should take reference from the minimum performance level for a given business function.”
The focus BCP is for speedy and full recovery after a cybersecurity issue and service interruptions have been discovered. Service interruptions include electricity outages, failing hardware and diminished components of critical computer installations. BCP covers more than just cybersecurity issues, but also common computing problems in public organizations.“While a BCP for a given business function could be largely the same regardless of the cause of the disruption, an FI should be mindful that specific scenarios could impose constraints on its recovery options. For example, a cyberattack could result in the data in both primary and secondary data centres being destroyed or manipulated. Similarly, a terrorist attack could impede the ability of staff to relocate to an alternate site due to security or other physical restrictions,” explained in the report.
MAS expects a financial institution to cover the cost of their compliance with the revised policies, they are also expected to learn from others when it comes to increasing cybersecurity awareness. Third-party vendors also have a responsibility, and they cannot put the blame to the financial institutions alone.
“FIs are encouraged to share their business continuity objectives with key stakeholders to mitigate the risk of mismatched expectations. An FI should proactively assess the resilience of these stakeholders and involve them in its BCM exercises, where appropriate. Some interdependency risks are beyond an FI’s direct control to mitigate completely (e.g. unavailability of telecommunications networks, etc.), but reasonable steps should still be taken to provide assurance that key service providers are capable of supporting their businesses even in disruptions,” concluded the report.
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.