Singapore issues draft notice on cyber security measures for financial sector

September 11, 2018

SINGAPORE - The Monetary Authority of Singapore (MAS) has released a consultation paper proposing a new Notice On Cyber Hygiene which will set out cyber security measures for prescribed financial institutions regulated by the Authority. The Notice seeks to outline a "clear and common cyber security waterline for the financial industry".

In a Client Note, lawyers Baker McKenzie says most of these financial institutions are already subject to an existing Notice on Technology Risk Management and Technology Risk Management Guidelines, among others, which imposes obligations in relation to managing technology risks.

The proposed Notice goes further to impose more prescriptive legally binding obligations in relation to cyber security measures.

The Monetary Authority of Singapore is proposing that the Notice be effective 12 months from its date of issuance, and is seeking public feedback. The consultation period will end on October 5.

Maker McKenzie says the MAS proposes to apply the Notice not just to entities licensed, approved, registered or regulated by MAS but to some other entities that MAS will be regulating in the future.

As an example, the MAS specifically referenced persons who will be licensed under the proposed Payment Services Bill including, for account issuance, domestic money transfer, merchant acquisition and virtual currency services.

“Notably, this Notice will apply to a broader scope of FIs than the TRM Notice currently applies to, e.g. stored value facility holders and registered fund management companies,” BM says.

“This means that even if these FIs are not currently expected to assess and identify which of its systems are critical systems, they may be required to do so in order to comply with certain requirements under this Notice. Where FIs have outsourcing arrangements relating to their IT systems, these FIs may seek to impose these standards on their outsourced service providers as well.” (ATI).