Start using any ImmuniWeb product instantly after a quick customization and secure online payment. Alternatively, request your free demo.

Total Tests:

Singapore MAS Cybersecurity Compliance

Read Time: 4 min.

The Monetary Authority of Singapore (MAS) imposes various data protection and cybersecurity regulations
on financial institutions operating in Singapore and other entities that it regulates with
a broad power to investigate, enforce and impose penalties for non-compliance.

Singapore MAS Cybersecurity Compliance

What are MAS cybersecurity regulations and what do they mean for your business?

The Monetary Authority of Singapore (MAS) is Singapore’s central bank and integrated financial regulator. MAS regulates and supervises deposit-taking institutions in Singapore, including full banks, wholesale banks, merchant banks and financial companies.

MAS compliance ImmuniWeb can help you comply with Singapore MAS cybersecurity and data protection requirements. How We Help

In Singapore, additionally to PDPA that establishes a comprehensive regime for personal data protection enforceable by PDPC, the MAS plays a vital role in policing cybersecurity and data protection of financial institutions by issuing mandatory notices and advisory guidelines.

All financial institutions doing business in Singapore shall be aware of the following cybersecurity documents issued and periodically updated by the MAS:

  • Notice on Cyber Hygiene
  • Notice on Technology Risk Management
  • Technology and Risk Management (TRM) Guidelines

Among other things, the documents impose regular risk assessment, development and maintenance of security policies, implementation of secure coding practices, regular security testing, vendor and third-party risk management, software and patch management, malware protection, fraud monitoring and incident response.

Additionally, the MAS Cyber Security Advisory Panel (CSAP) provides insightful guidelines and best practices for the evolving technology and cyber threat landscape accompanied with practical implications for financial institutions in Singapore.

What are the penalties for violations of MAS cybersecurity regulations?

Under the provisions of the Banking Act, the MAS may issue financial penalties going up to 100,000 SGD, and in the case of a continuing violation, to a further fine of 10,000 SGD for every single day during which the offense continues.

What are the security requirements under MAS cybersecurity regulations?

The most detailed MAS document dedicated to cybersecurity is “Technology and Risk Management (TRM) Guidelines” that is composed of 15 detailed sections and multiple subsections after an update in January 2021. The guidelines establish a risk-based cybersecurity management framework, mandates information security policies and procedures, encourage board of directors and senior management to directly participate in organizational cybersecurity strategy, alluding their direct responsibility and accountability for eventual security failures.

The Section 6 (“Software Application Development and Management) of the guidelines addresses application security whereas the Subsection 6.1.6 says that “a comprehensive strategy to perform application security validation and testing” is essential for financial institutions.

The next Subsection 6.1.7 points out that “major issues and software defects should be remediated before production deployment.” Security of APIs and web services is expressly addressed in the Subsection 6.4.6 that says, “robust security screening and testing of the API should be performed […] before it is deployed into production.

The Section 12 (“Cyber Security Operations”) provides a multifaceted framework to establish a continuous threat intelligence and cyber incident monitoring strategy. There is a special emphasis on inclusive and holistic log monitoring explained in the Subsection 12.2.5 suggesting a “correlation of multiple events registered on system logs should be performed to identify suspicious or anomalous system activity patterns.

Regular security testing is separately addressed in the Section 13 (“Cyber Security Assessment”) that imposes recurrent penetration testing and vulnerability assessments. As stipulated in the Subsection 13.1.2, the scope of vulnerability assessment shall “minimally include vulnerability discovery, identification of weak security configurations, and open network ports, as well as application vulnerabilities.” The guidelines further provide a risk-based approach for penetration testing by suggesting its frequency to be “determined based on factors such as system criticality and the system’s exposure to cyber risks”, later setting the minimum threshold: “conduct penetration testing […] at least annually or whenever these systems undergo major changes or updates.

MAS compliance ImmuniWeb can help you comply with Singapore MAS cybersecurity and data protection requirements. How We Help

Does MAS cybersecurity regulations impose third-party risk management?

The latest version of MAS guidelines expressly addresses third-party risk management and prevention of supply chain attacks in the Section 5 (“IT Project Management and Security-by-Design”).

The Subsection 5.3.1 says that financial institutions should “establish standards and procedures for vendor evaluation and selection” in a risk-based manner by elaborating that the “level of [vendor] assessment and due diligence performed should be commensurate with the criticality of the project deliverables.

The MAS Cyber Security Advisory Panel also addressed third-party risk management in its recent recommendations: “With the increased reliance on third-party vendors, the Panel emphasizes the need for financial institutions to step up their oversight of these counterparts and to monitor and secure remote access by third parties to financial institutions’ systems.

List of authoritative MAS cybersecurity resources

Share on Twitter Share on LinkedIn Share on Facebook
Book a Call Ask a Question
Talk to ImmuniWeb Experts
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential