Out-Law News 1 min. read
01 Jul 2013, 9:33 am
The financial institutions (FIs) will have to report incidents that have a "severe and widespread impact" on their operations, or that "materially impacts" their service to customers, according to an explanatory document (6-page / 414KB PDF) published by MAS. The reporting requirement will kick in from 1 July 2014. The new rules require the FIs to put in place "IT controls" that "protect customer information from unauthorised access or disclosure".
The reports will have to contain a description of what happened in the incident, when and how it happened, where it happened and what the impact of it was. The FIs will also have to detail what actions they have taken in response.
"Any IT security incident or system malfunction with severe and widespread impact on an FI’s operations, or materially impacts the FI’s service to its customers, is a reportable event," the MAS notice said. "Isolated ATM outages that do not have a widespread impact on an FI’s operations or materially impact services to customers are unlikely to be considered as reportable events."
"An FI must notify MAS within 1 hour upon the discovery of a system malfunction or IT security incident which has severe and widespread impact on its operations or materially impact the FI’s customers regardless of when the malfunction or incident occurs," it said.
Singapore FIs have all been issued with a notice requiring them to establish a framework and process for identifying "critical systems" and "make all reasonable effort to maintain high availability" of those systems. Examples of the critical systems include online banking systems, and systems which support payment, MAS said. Unscheduled downtime that affects services to customers should not exceed a total of four hours in a year, it added.
After submitting their initial report, the FIs must follow it by submitting a "root cause and impact analysis" report to the MSA within 14 days on a reportable incident being discovered.
MAS has issued non-binding technology risk management guidelines (59-page / 509KB PDF) setting out some examples of best practice to help FIs protect their systems from security threats or outages.
"In recent years, various technology innovations in areas such as card payment, mobile technology and system virtualisation have helped to expand financial institutions’ (FIs) business offerings and customer reach," MAS said. "Information technology (IT) outsourcing has also become more attractive to FIs due to the abundance of outsourcing services."
"Against the backdrop of an increased reliance on complex IT systems and operations in the financial sector is the heightened risk of cyber attacks and system disruptions. In this regard, FIs are expected to continue to deepen their technology risk management capabilities and be ready to handle IT security incidents and system failures," it said.