The Cyber Security Advisory Panel (CSAP)1 of the Monetary Authority of Singapore (MAS) provided insights and suggestions on how Singapore’s financial sector can harness the benefits of new technologies while remaining cyber resilient. At its second annual meeting chaired by Mr Ravi Menon, Managing Director, MAS, the international panel also provided advice on MAS own cyber resilience strategies.
CSAP members shared their views on the growing adoption of new technologies, emerging user authentication methods for online financial services, and the use of open application programming interfaces (APIs) by financial institutions (FIs). They also discussed MAS’ roadmap on initiatives to expand its cyber intelligence coverage, reinforce protection capabilities, reduce time to recover from incidents, and develop cyber security talent.
Some key issues discussed
Public Cloud Services – FIs are increasingly using public cloud services for cost savings, system scalability, and speed to market. CSAP members suggested that small and medium sized FIs, given their limited resources and capabilities, can improve their cybersecurity posture by using reputable cloud solution providers that have strong cybersecurity capabilities.
CSAP members acknowledged concerns about concentration risks arising from a growing number of financial services relying on a limited pool of cloud service providers. In particular, FIs should implement measures to secure data stored on the cloud and their network connections to the cloud service provider. Members also said that cloud service providers should provide greater transparency to their customers on how they implement security measures to protect their systems and information.
APIs – FIs are actively making their APIs available to third parties such as service providers and business partners to enrich the quality and customisation of their financial services. As APIs expose FIs to higher risks of cyber threat, CSAP members proposed measures which FIs may adopt when embarking on their open API journey. These measures include performing risk assessment of the third parties using their APIs and monitoring activities related to API services for suspicious events.
The CSAP met representatives from the Standing Committee on Cyber Security from The Association of Banks in Singapore, The Life Insurance Association Singapore, and The General Insurance Association of Singapore. The industry associations had candid exchanges with the panel on the benefits that FIs can reap from employing artificial intelligence and machine learning to augment their cyber defence capabilities. The CSAP also highlighted the usefulness of identifying vulnerabilities through bug bounty programmes and “red-teaming”2, and recommended FIs to consider adopting these as part of their security testing frameworks.
The CSAP was formed in 2017 to advise MAS and the financial sector in Singapore on strategies to address the changing cyber threat landscape. It comprises experts in cyber security from around the world. Members are on renewable two-year terms.
Annex A – List of CSAP members who attended the meeting
Ms Valerie Abend
Managing Director, Financial Services North America Security & Global Cyber Regulatory Lead, Accenture Security
Mr Keith Alexander
Founder and Chief Executive Officer, IronNet Cybersecurity Inc.
Mr Mikko Hypponen
Chief Research Officer, F-Secure Corporation
Mr David Koh
Commissioner of Cybersecurity & Chief Executive, Cyber Security Agency of Singapore
Mr Vincent Loy
Managing Director, Financial Services Leader, Accenture
Ms Cheri McGuire
Group Chief Information Security Officer, Standard Chartered Bank
1 MAS established the CSAP in September 2017. Please refer to MAS’ media release ‘MAS Sets Up International Advisory Panel for Cyber Security’ at: http://www.mas.gov.sg/News-and-Publications/Media-Releases/2017/MAS-Sets-Up-International-Advisory-Panel-for-Cyber-Security.aspx
2 Bug bounty programmes are initiated by organisations to reward individuals for discovering and reporting vulnerabilities on their systems without fear of legal repercussions. Red-teaming is the use of a red-team (i.e. a team of ethical hackers) to continuously test for weaknesses in an organisation’s people, processes and technology by adopting a hacker’s mind-set.