The financial services sector has always been a forerunner in adopting technology for automation, and to provide better services to customers. The sector has been embracing digital transformation at an accelerated pace, especially with COVID-19, to continue to provide banking services while minimizing physical contact and exposure. As the technology stack of financial institutions (FIs) grow and become more complex, there’s also an increase in their exposure to cyber risks. The methods used by cyber criminals are becoming more sophisticated and severe. Risks include data breaches, fraudulent financial transactions, and disruption of financial services systems.
In January 2021, the Monetary Authority of Singapore (MAS) has released updated “Technology Risk Management Guidelines.” It serves as a framework for FIs in Singapore, to ensure due diligence in minimizing cyber risks. The most important elements of the updated memorandum focus on “strong oversight” of their providers to mitigate third-party cyber risks. These include having:
- The board of directors and senior management play an integral part in the oversight and management of technology risk
- FIs apply a defense-in-depth approach to strengthening cyber resilience
- FIs ensure they are working with a provider they can trust
- A proper inventory of all assets that could pose risks
- A prevention and redundancy plan against distributed denial of service (DDoS)attacks, man-in-the-middle attacks, phishing and malware, and domain name system (DNS) hijacking
Singapore has always been at the forefront of cyber resilience to support its ambition as a Smart Nation that is powered by a digital economy. Though it has experienced its fair share of data breaches, Singapore continues to pave the way in promoting best practices in cyber resilience. The latest “Singapore Cyber Landscape” report acknowledges that “[in] line with global trends, Singapore witnessed a rise in cyber threats targeted at various local industries such as eCommerce, banking, and finance…” And the financial services sector will always be one of the main industries targeted by cyber criminals.
As FIs have a growing reliance on technology stacks, therein lies a corresponding increase in their cyber risks with their third-party digital asset providers. Their domain names, DNS, and secure socket layer (SSL) digital certificates are still sitting with low-security providers, especially evident in Asia.
The findings from CSC’s Domain Security Report 2020—which looked at the security posture of the Global Forbes 2000 companies—showed that 82% of FIs are still at risk because of their providers. In the same report, it observed that 88% of banks are at risk of a basic domain and DNS hijack because they have not implemented registry locks, which prevents unauthorized changes to domain names and DNS records. There is also a huge gap in the adoption of a defense-in-depth approach because there is low adoption of:
- Domain-based message authentication, reporting, and conformance (DMARC)to prevent email spoofing
- DNS security extensions (DNSSEC)to prevent DNS cache poisoning
- Enterprise-grade registrars who mandate multi-factor authentication to prevent unauthorized access to domain and DNS management portals
With Singapore positioning as a regional and international financial hub, FIs will be expected to take the lead, strengthening its cyber security posture—and other sectors, and even nations will hopefully follow its example. CSC resonates with MAS’s recommendation that the board and senior management should be the backbone of cyber resilience. With the push from these decision makers, there could be a cultural shift towards cyber resilience, not only for the financial services, but all industries on this side of the world.