Cyber security perspectives for Major Payment Institutions in Singapore

Cyber security compliance requirements for financial industry players in Singapore are generally available and clear. Even in the smaller end of the sector, be in fintech startups issuing e-money, traditional payment processors (e.g. payroll processors, and accounting services firms) or entities engaging in cross-border money transfers, a set of policies governing compliance is available. While many smaller outfits do not particularly concern themselves adequately with understanding business-specific cyber risk and threats, the fact the Monetary Authority of Singapore (MAS) has policies and robust monitoring and enforcement mechanisms, can ensure mid and smaller regulated entities in Singapore possess a meaningful level of cyber hygiene. If a risk-based approach is taken towards these policies, we believe these mid and smaller players, in particular, can manage cyber risk in a cost-optimized manner.

For example, MAS has a license category for Major Payments Institutions (MPI). The commercial threshold to qualify for this license is not onerous. Any payments business that transacts between $3 (for a single payment service) and $6m (for two or more payment services) per month could conceivably apply.

From a cyber security perspective, MPIs need to internalize two documents, the Cyber Hygiene Notice and MAS’s Technology Risk Management. To summarize, the objective is to ensure MPI license holders, harden their security posture and its prescription include key clauses requiring MPIs to

  • Protect against malware threats
  • Scan systems for vulnerabilities and patch religiously
  • Set up network perimeter defense to restrict unauthorized access
  • Enable multifactor authentication for key employee groups (e.g. those that handle customer data or have system administrative privileges)
  • Monitor systems via a Security Operations Center (SOC) for cyber compromises and to be able to investigate and take remedial action

These are sensible policies to begin with but challenging to get done right by small to mid-tier entities. A small fortune can be spent implementing cyber solutions that overlap in their functionality, do not meet needs ultimately and to which the organization has limited skill to manage post-implementation.

Implementing these prescriptions with a risk-based view can help prioritize key solutions that are needed to help ensure cyber risks are managed without blowing the business up in event of a cyber catastrophe nor blowing the budget for cyber solutions. It also provides a clear basis to decide which activities to perform in-house or to use a managed services provider. Ultimately MAS monitoring (via audits) and enforcement will help cyber hygiene improve, but it might be very worthwhile to get ahead of the regulator.

Feel free to schedule a session with our with a cyber security specialist or our managed security services team, to discuss your operational needs.