Monetary Authority of Singapore revises guidelines to strengthen resilience against cyber attacks and other problems

June 10, 2022 |

The  Monetary Authority of Singapore has  revised Guidelines on Business Continuity Management for financial institutions to strengthen resilience against service disruptions arising from a range of circumstances including cyber attacks, and physical threats. 

The media release provides:

The Monetary Authority of Singapore (MAS) today issued revised Guidelines on Business Continuity Management (BCM) for financial institutions (FIs), to help FIs strengthen their resilience against service disruptions arising from IT outages, pandemic outbreaks, cyber-attacks and physical threats. The revisions take into account learnings from the handling of the COVID-19 pandemic and increased digitalisation in the financial sector.

2 The revised Guidelines provide new insights on measures that FIs can take to better manage the increasingly complex operating environment and threat landscape to enable the continuous delivery of services to their customers.  Under the revised Guidelines, FIs should:

a)adopt a service-centric approach through timely recovery of critical business services facing customers;

b) identify end-to-end dependencies that support critical business services, and address any gaps that could hinder the effective recovery of such services; and

c) enhance threat monitoring and environmental scanning, and conduct regular audits, tests, and industry exercises. 

3 Mr Vincent Loy, Assistant Managing Director (Technology), MAS, said, “Against the backdrop of an increasingly volatile and complex environment, the new Guidelines will help financial institutions to take an agile and holistic approach in sustaining their critical business services when faced with threats and risk of disruption.” 

The guidelines are found here.

On a more sombre note Crikey reports that federal government departments have not fulfilled cybersecurity basics.  That does not surprise me.  The article provides:

For the sixth time, the ANAO has gone looking for evidence our public service departments are executing cybersecurity basics. Again, they’ve been disappointed.

For years now, Crikey has kept a lonely vigil over one of the more bemusing administrative scandals of recent times in the Australian Public Service: the failure of departments and major agencies to meet the most basic requirements of cybersecurity put in place back when Labor was last in government in 2013 (you can find a history of the saga here).

When we last checked in March 2021, the auditor-general had busted Prime Minister and Cabinet, and Attorney-General — two departments you’d kinda sorta wanna think might be pretty focused on security — not just for not being compliant with the original “top four” requirements put in place back in 2013, but for claiming they were compliant when they weren’t.

Since then the top four has been expanded to the more alliterative “essential eight” and enshrined in the Protective Security Policy Framework Policy 10, “Safeguarding data from cyber threats”. Throughout that time, progress to meeting either the four or the eight by most departments has been ridiculously slow — and attempts by bureaucrats to explain away their failures when MPs like Labor’s Tim Watts pursued them just ridiculous.

The repeated failure to comply with cybersecurity basics grew so embarrassing, departments began criticising the Australian National Audit Office (ANAO) for drawing attention to the fact that they were vulnerable, and insisted it no longer report departments’ failures individually — a classic case of national security being invoked to spare the blushes of officials.

This week, in its sixth look at the issue, in the context of one of its regular reports on the key financial controls of departments and major government entities, the ANAO has checked in on progress, looking at cybersecurity basics in relation to the preparation of financial statements. The result is a sense of resigned exasperation from the auditors:

“Since 2013, the ANAO has conducted a series of performance audits focused on assessing entities’ implementation of the PSPF cybersecurity requirements. These performance audits continue to identify low levels of compliance with mandatory PSPF cybersecurity requirements and concerns in annual self-assessments by entities. The ANAO has reported its concern that there is little evidence through the series of audits that the regulatory framework had driven sufficient improvement in entities mitigating their cybersecurity risks since 2013.”

Has 2022 seen a turnaround? Yeah … nah. For the 19 departments and agencies examined, there’s been progress in achieving most of the eight, but off a low base. The most widely complied-with requirement, restricting administrator privileges, hasn’t improved in the last year, and remains at 12 of the 19; barely a quarter of agencies report having complied with some other requirements.

Two agencies actually reported that they went backwards. “Of the 19 entities assessed, two had self-assessed as achieving a Managing maturity level,” ANAO reported.

Its conclusion?

“The PSPF cybersecurity requirements have been in place since 2013, with the March 2022 update mandating the implementation of all Essential Eight mitigation strategies. Entities’ inability to meet previous requirements indicates a weakness in implementing and maintaining strong cybersecurity controls over time. Previous ANAO audits of entity compliance with PSPF cybersecurity requirements have not found a significant improvement over time. The work undertaken as part of this review indicates that this pattern continues, with limited improvements.”

For a public service increasingly unable to perform the basics of policy administration, it’s a potent symbol of decline.


Leave a Reply

Verified by MonsterInsights