Cybersecurity Measures to Ensure Banking System Integrity

20 Mr Ong Teng Koon asked the Prime Minister what are the cybersecurity measures being taken to ensure the integrity of our banking system and financial transactions in light of the recent cyber theft incident encountered by Bangladesh Bank.

The Minister for National Development (Mr Lawrence Wong) (for the Prime Minister): Madam, I am taking this question on behalf of the Deputy Prime Minister and Chairman of the Monetary Authority of Singapore (MAS). The recent incident at the Bangladesh Bank is a timely reminder that cyberattacks can be very costly.

MAS and financial institutions (FIs) in Singapore take cybersecurity very seriously and we have been paying close attention to global developments in cyber threats.

MAS expects our FIs institutions to build strong and effective capabilities to safeguard the integrity and availability of their critical systems and services and to protect customer and other sensitive information from unauthorised access. This means having in place measures to protect their critical systems, to detect threats and system vulnerabilities in a timely manner and also to recover from cyberattacks swiftly. They must conduct regular security reviews and tests to ascertain the continued effectiveness of these measures.

MAS assesses the FIs' cyber resilience through both onsite and offsite supervision. And where there are any gaps or areas of improvement identified, MAS requires the FI to develop a remedial plan of action and will monitor the institution's progress in its implementation. MAS also monitors the prevailing cyber threat landscape and issues targeted advisories to FIs.

The FIs themselves have been taking proactive steps to combat cybersecurity risks. In addition to investments at the individual FI level, they are also collaborating on industry initiatives to strengthen the sector's cyber resilience. The Association of Banks in Singapore Standing Committee on Cyber Security (SCCS) was set up in 2013 and has since served as a useful platform for industry collaboration. Since its inception, the SCCS has championed a number of initiatives to raise industry standards, for example, in the area of penetration testing. They have also commenced regular sector-level cyber exercises amongst its members to test the FIs' responses and operating procedures against various cyber threat scenarios. The group also meets regularly to exchange insights and intelligence on cyber threats.

At the national level, MAS and major FIs work closely with the Cyber Security Agency (CSA) to support our national initiatives on cybersecurity and critical information infrastructure protection.

Madam, cyber threats are persistent and we must expect threat actors to continue to enhance their tools and techniques. So, MAS will continue to work with our FIs and industry partners to monitor developments in cyberspace and to adapt defences, as appropriate, to stay cyber-resilient.

Mr Ong Teng Koon (Marsiling-Yew Tee): I would like to thank the Minister for his reply. I would also like to ask him whether there are any plans to develop a local talent pool for the cybersecurity industry in order to broaden the talent and expertise to deal with such threats.

Mr Lawrence Wong: Madam, there are, indeed, plans to do so and this is an area that, in fact, MCI and the CSA have been coordinating because the requirements cut across different sectors, not just in the finance sector but across all industries. The reality is that cybersecurity will become an emerging threat which all companies and all industries including in the public sector, will have to deal with. There will be more requirements for skilled people in this area and so our CSA is, indeed, looking at our manpower needs for the future, and our educational institutions, including our tertiary institutions, are stepping up provisions in this area as well.

Mr Louis Ng Kok Kwang (Nee Soon): Thank you, Madam. Can I ask if MAS has performed audits or reviews on the effectiveness of IT controls very specific to FAST, which stands for Fast and Secure Transfers? If so, how often? If not, is there a plan to do so? I understand that FAST is very similar to SWIFT, which was the software or network which was infiltrated by the hackers to steal the $81 million from the Bank of Bangladesh.

Mr Lawrence Wong: Madam, as I have mentioned earlier, MAS does do audits, checks and penetration tests as well across the board in all our financial networks, including on FAST. So, I would like to assure the Member that these audits and tests are being done and we are always making sure that we have a resilient system that will be able to withstand cyberattacks.