Cyber Hygiene Compliance Guide for Singapore Companies
With the increasing threat of cyber-attacks like ransomware, phishing, and social engineering, it is of paramount importance that companies take measures to prepare for and prevent security breaches.
This is especially so if your company is a financial institution (like a bank, stock exchange, or payment service provider) which handles customers’ money and sensitive data.
As a result, in Singapore, the Monetary Authority of Singapore’s (MAS) “Notice on Cyber Hygiene” (the Notice) has made various cyber hygiene practices mandatory for specified financial institutions.
Read on to find out:
What is Cyber Hygiene?
Cyber hygiene (also known as cybersecurity hygiene), refers to the habitual practices undertaken by organisations and individuals to ensure the safe handling of critical data and secure their network from cyber-attacks.
Such practices could include:
- Updating software and applications to ensure they stay up to date with the latest software updates
- Performing regular anti-virus scans on employees’ computers
- Educating employees on how to avoid falling for ransomware and phishing scams
- Regularly backing up data to minimise loss of data in the event of an attack
Why is Cyber Hygiene Important?
Practising cyber hygiene helps prevent or mitigate security incidents like data breaches, data loss and operational interruptions.
These security incidents can cause financial losses, damage to the company’s reputation or result in criminal or civil liability (these are explained in further detail below).
Better able to handle existing threats and pre-empt future ones
Maintaining cyber hygiene also positions your company to better handle existing and emerging threats. For example, in the case of a ransomware attack, a malicious actor may lock up all your company’s data and files, and ask for payment to release the data by a certain deadline. In many cases, a failure to do so may result in the deletion of all data, but the data might also never be released, even after the payment is made. However, if your company frequently backs up its data, data from the last backup can still be restored. You can also avoid having to pay a potential hefty sum of money to the entity that was attempting to blackmail you.
If your company regularly performs vulnerability scans, it will be able to discover a vulnerability as soon as it is announced. It can then quickly cut off any vulnerable connections to prevent any immediate attacks.
With these cyber hygiene practices in place, your company would be better able to preempt a potential attack.
Is Maintaining Cyber Hygiene Compulsory For Singapore Companies?
Yes, maintaining cyber hygiene is compulsory if your company is a financial institution (FI) that falls under the purview of MAS’ cyber hygiene requirements under the “Notice on Cyber Hygiene”. This includes banks, insurers, payment service providers or capital market entities.
For the full list of types of companies that need to comply with the Notice, please refer to this FAQ by MAS, in section ‘A1’.
What are the Cyber Hygiene Requirements Under the Notice on Cyber Hygiene and How Can Your Company Comply with Them?
The 6 cyber hygiene requirements under the Notice on Cyber Hygiene are as follows:
- Securing administrative accounts
- Applying security patching
- Establishing written security standards
- Network Perimeter Defence
- Implementing anti-malware measures
- Implementing Multi-factor Authentication
Note: The term “system” will be used to refer to any hardware or software used by your company. This includes the operating system, database, an application (including web or mobile applications), or network devices.
1. Securing administrative accounts
Requirement: The FI must ensure administrative accounts are secured to prevent unauthorised access to or use of those accounts.
Administrative accounts allow users to perform highly sensitive system operations. Examples of such administrative accounts would include the “root” account on a server running Linux (the most common operating system used for servers) or on a cloud service provider such as Amazon Web Services.
Unauthorised access to administrative accounts or allowing too many people to have administrative rights can adversely affect system stability and security. This is because the more accounts there are with administrative rights, the greater the surface of attack, i.e. the number of weak points that attackers (insiders or intruders) can use to gain access to your network or systems.
A user with administrative rights or a hacker who has gained access to that user’s account can cause irreparable harm, including exporting sensitive data, or installing malicious software to steal money and data, or disrupt activities.
To minimise the risks associated with there being too many administrative accounts, companies can:
- Grant administrative rights on a need-to-use basis
- This means that the only people who should have administrative rights are those who absolutely need them to perform their functions (e.g., personnel in charge of licensing or billing matters).
- Further, procedures should be established to assess and approve the granting of administrative accounts.
- Periodic reviews should also be performed to verify that administrative rights are appropriately assigned and revoked when no longer required.
- Prevent unauthorised access to administrative accounts through appropriate controls such as:
- Enforcing password complexity.
- Enforcing password expiration.
- Dual control of passwords (Where a user can only retrieve a password after permission or confirmation has been granted by an “Authorised Safe Owner”).
- Segregation of duties for system administration.
2. Applying security patching
- The FI must apply security patches (i.e. security updates) to address vulnerabilities in every system.
- Such security patches must be applied within an appropriate timeframe based on the risk posed by each vulnerability
- For example, if the risk is more serious (e.g., customer data is at risk), a security patch should be applied once it is available.
- If the risk is minimal (e.g., the risk is to an isolated server that does not affect customers), the appropriate timeframe could be longer.
- If no security patch is available, the FI must ensure controls are put in place to reduce any risks posed by the relevant vulnerability.
When your company discovers a new vulnerability, it should assess the severity of the vulnerability. Your company can then develop a remediation plan that is appropriate to:
- How important the affected systems are to your company.
- The risk that the vulnerability poses.
This remediation plan entails deciding on a timeframe and a procedure to apply the relevant security patch, ideally without affecting end users. The appropriate timeframe for applying the patch may differ from one system to another, or one vulnerability to another.
Example of a remediation plan: Implementing auto-updates or periodic updates during maintenance windows
Depending on your company’s remediation plan, it might make sense to turn on automatic updates (where available) for any non-system-critical software to ensure that your systems are always up-to-date. This way, you will always have the latest security patch applied to your system.
For example, suppose your company has an internally developed customer-facing application like a banking website, which relies on a third-party application (e.g. hosted at “application.com”). On this website, when your banking customers attempt to log in, the banking website will check that the customers’ credentials are valid by getting data from application.com at a particular URL (e.g. “application.com/get/customerData”) in a particular format. This process of getting data is known as an “API call”.
However, such an automatic update might cause “breaking changes” to your internally developed software that relies on the third-party application. This means that some functionality of your software no longer works due to the changes made in the update.
An automatic update to the third-party application might then change the URL (e.g. to “application.com/customer_data” instead) or change the format of the data, meaning the API call would not work. This would cause your customers to be unable to log into your site (this is an example of a “breaking change”).
To mitigate these effects, your company might wish to implement and notify your users of scheduled or ad hoc maintenance periods. You can then safely apply updates without adversely affecting users who rely on your services.
What if no patch is available?
If your company discovers a vulnerability for which no patch is available (e.g. it is a new or ‘zero-day’ vulnerability), your company should mitigate the risks that the vulnerability poses.
One way to do so is to use appropriate network security devices (like Web Application Firewalls) to detect, intercept and/or drop potentially malicious web requests that are targeted to exploit the vulnerability.
You may also wish to consult any vendors (e.g. for your software or databases) that you are working with to see if they have any workarounds specific to their service.
3. Establishing baseline security standards
- The FI must ensure there is a written set of security standards for every system.
- The FI must ensure that every system conforms to these security standards.
- If the system is unable to conform to these security standards (e.g., if the security standards require that all applications be cut off from the public Internet, but the application in question requires an Internet connection), the FI must ensure controls are put in place to reduce any risks.
MAS has stated that a company can refer to internationally recognised industry best practices from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST).
Some of the best practices from CIS (e.g. the CIS Controls) are similar to the MAS requirements like monitoring administrative privileges on computers, applications and networks, as well as establishing boundary defence They also include other best practices like maintaining an inventory of all hardware and software assets, and monitoring audit logs.
What if a system cannot comply with the standards?
If a system cannot comply with security standards, your company should institute appropriate risk mitigation controls.
For example, one way your company can mitigate the risks posed is by implementing a transparent proxy between the third-party service and the Internet. This allows you to intercept traffic, as well as audit and inspect all the data sent by the third-party service to the Internet. In doing so, this ensures that none of your company’s data is compromised.
4. Implementing network perimeter defences
Requirement: The FI must put in place controls at its network perimeter to restrict all unauthorised network traffic.
The network perimeter refers to a boundary between the public-facing side of a network and a company’s private network (sometimes known as the De-Militarized Zone). For example, if you are a bank offering an online banking service, your web or mobile application that the customers use to access your banking services is the “public facing” side that customers can access through the Internet. However, the applications will likely retrieve and make changes to a database that is in your private network or Intranet.
You may also have firewalls and Intrusion Detection Systems that guard this border between the public and private networks. All these constitute your “network perimeter”.
To meet the requirement to defend its network perimeter, your company should implement network security devices at the network perimeter. Such network security devices serve to monitor incoming and outgoing traffic at the border between your system and the outside world, maintaining the integrity of your system.
5. Implementing anti-malware measures
Requirement: The FI must ensure that one or more malware protection measures (e.g. antiviruses) are implemented where it is possible to do so.
Such anti-malware measures may include installing anti-virus solutions. The type of solution to be installed would vary, depending on the type of system to be safeguarded and the IT environment they operate in.
Your company may also need to implement measures at the endpoints (e.g. laptops and desktops that can access your internal network through VPN tunnels), email gateway or internet gateway to mitigate any risk of malware infection.
6. Strengthening user authentication
Requirement: The FI must ensure that multi-factor authentication is implemented for all administrative accounts and all accounts used by the FI to access customer information through the Internet.
Multi-factor authentication refers to requiring multiple methods to authenticate a user. Generally, it utilises two or more independent categories of credentials:
- What the user knows (e.g. passwords)
- What the user has (e.g. a security token generated by a hardware device or mobile application)
- Who/what the user is (e.g. by scanning the user’s fingerprint or face)
Your company should implement multi-factor authentication (e.g. where a one-time password generated by a hardware device or mobile application is required to log in) for administrative accounts on all its critical systems. This should be done even if these accounts are restricted to your company’s internal network. This is because passwords can be compromised by insiders as well as external intruders who can gain access to the internal network.
While not a strict requirement under the MAS Cyber Hygiene Notice, it is also prudent to enforce a password policy. This will make it harder for attackers to simply guess account passwords or to use passwords obtained in data leaks. Examples of some password policy best practices include setting password complexity requirements (e.g. passwords to contain at least 8 characters and a special character) and a password expiry date at regular intervals.
Exceptions to Compliance Requirements with the Notice
Your company does not need to comply with any of the 6 requirements above if:
- Your company cannot exercise direct control over that system to ensure compliance with the relevant requirement;
- For example, if your company is the developer of a customer-facing web application that is hosted on your own servers, your company can exercise direct control by having your system administrators secure the servers, and by having your developers make changes to the application code if necessary.
- If instead, the vulnerability arises in a third-party system, your company does not have direct control that system, because your company has no direct authority to ask the third party’s system administrators or developers to make the same changes.
- Your company cannot exercise indirect control over that system by requiring the system provider to ensure compliance with the relevant requirement; and
- For example, your company may have a service agreement with a third-party software provider that makes your security requirements and policies binding on that provider. In this case, you would have indirect control over the system.
- It is not reasonable for your company to procure an alternative system provider that your company can exercise indirect control over to provide the system.
Reporting Obligations on Compliance with the Notice on Cyber Hygiene
If your company is required to comply with the Notice, then it does not need to submit an attestation or audit on its compliance with the Notice on Cyber Hygiene to MAS. Instead, MAS expects that your company will report to its senior management on the state of its compliance with the requirements of the Notice.
MAS will review the extent of your company’s compliance with the Notice as part of its supervisory process.
Failure to Comply with the Notice on Cyber Hygiene
The Notice on Cyber Hygiene is legally binding. This means that a failure to comply with the Notice is an offence that is punishable by law.
The penalty depends on the type of FI your company is. For example, a bank that fails to comply with the Notice on Cyber Hygiene is liable to a fine of up to $100,000 and a further $10,000 for every day or part of a day during which the non-compliance continues.
On the other hand, a credit card provider that fails to comply with the Notice on Cyber Hygiene would instead be liable to a fine of up to $25,000 and a further $2,500 per day or part of a day of non-compliance.
In more serious cases, MAS may revoke your company’s licence to carry out financial services.
Apart from the legal consequences, a failure to maintain cyber hygiene could leave your systems vulnerable to malicious attacks from internal and external sources. This might lead to other adverse consequences like personal data breaches, an interruption in services provided, and/or financial losses for your company and customers.
Such a breach could also lead to your customers losing trust in your company and choosing to engage an alternative financial service provider instead.
It is important to maintain cyber hygiene to prevent the loss of your customers’ data, money, and most of all, trust. Maintaining and monitoring your company’s cyber hygiene would also ensure that your company will be well-equipped to prevent breaches and handle any security threats as they arise.
A corporate lawyer may be able to assist your company by assessing your company’s current cybersecurity risks and providing advice on how to ensure full compliance with MAS’ cyber hygiene requirements (provided you are legally mandated to comply with the notice).
You may engage one of our corporate lawyers here.
- What is a Nominee Director, How to Appoint and Other FAQs
- Independent Directors: Who are They and What is Their Role?
- Appointing Company Directors in Singapore: Eligibility, Process etc.
- Managing Director vs CEO in Singapore: Roles and Obligations
- Guide to Directors' Remuneration in Singapore
- Directors' Duties in Singapore
- Shadow Directors: Who are They and What Duties Do They Owe to the Company?
- How to Remove a Director from a Company in Singapore
- Removal and Resignation of Company Auditor in Singapore
- Appointing a Company Secretary: Roles and Responsibilities
- Appointing an Authorised Representative for Foreign Companies in Singapore
- Process Agents in Singapore
- Share Buybacks in Singapore: Procedure, Cost and More
- How to Split Shares (or Stocks) in a Singapore Company
- 2 Ways to Remove a Singapore Company Shareholder ASAP
- What are Treasury Shares? Guide for Singapore Companies
- Guide to Paid-Up Capital in Singapore (Is $1 Enough?)
- Preparing a Register of Shareholders for a Singapore Company
- How to Issue Shares in a Singapore Private Company
- Guide to Transferring Shares in a Singapore Private Company
- Your Guide to Share Certificates in Singapore: Usage and How to Prepare
- Shareholder Rights in Singapore Private Companies
- Shareholder Roles and Obligations in Singapore Companies
- Dividend Payments Guide for Singapore Business Owners
- Share Transmission: What Happens If a Shareholder Dies in Singapore?
- How to Reduce the Share Capital of Your Singapore Company
- Buy-Sell Agreements: How to Write & Fund Them in Singapore
- Oppression of Minority Shareholders
- Is Your Business Collaboration Competition Law-Compliant?
- Explained: Registered Filing Agent for Singapore Businesses
- Transfer Pricing Obligations of Singapore Companies
- Adhering to Trading Sanctions and Restrictions in Singapore
- Cyber Hygiene Compliance Guide for Singapore Companies
- Essential Regulatory Compliance Guide for Singapore Companies
- Dormant Companies and Their Filing Obligations in Singapore
- Anti-Money Laundering Regulations and Your Business: What You Need to Know
- Price-Fixing, Bid-Rigging and Other Anti-Competitive Practices to Avoid
- Legally Conducting Lucky Draws for Singapore Businesses
- Restaurant Inspection and Food Safety Rules in Singapore
- Does Your Company Need a Legal Team (In-House Counsel)?
- Acqui-Hiring of Singapore Companies: How Does It Work?
- How to Change the Name of Your Singapore Company
- Can Directors be Liable for Company Debts in Singapore?
- Company Loans to Directors/Shareholders in Singapore
- 3 Types of Insurance Every Singapore Business Needs
- Creating and Registering Charges in Singapore: Guide for Companies
- Guide to Effective Business Continuity Planning in Singapore
- Business Asset Sale & Disposal in Singapore: How Do They Work?
- Business Partnership Disputes in Singapore: How to Resolve
- How to Commence a Derivative Action on Behalf of a Company in Singapore
- Business Will: How to Pass on Your Business to Your Successors in Singapore
- Record-Keeping Requirements for Singapore Companies
- Company Constitutions in Singapore and How to Draft One
- Company Memorandum and Articles of Association
- Company Resolutions: What are They?
- Board Resolutions in Singapore
- Minutes of Company Meeting in Singapore: How to Record
- How to Set Up a Register of Controllers
- How to Set Up a Register of Nominee Directors
- Guide to Filing Financial Statements for Singapore Business Owners
- Filing Annual Returns For Your Business
- Carbon Tax in Singapore: What is the Rate and Who Must Pay?
- Laws and Penalties for GST Evasion in Singapore
- Singapore Corporate Tax: How to Pay, Tax Rate, Exemptions
- Start-Up Tax Exemption Guide for New Singapore Companies
- GST Registration: Requirements and Procedure in Singapore
- What is Withholding Tax and When to Pay It in Singapore
- Singapore Influencers: Here's How to Calculate Your Income Tax
- Tax Investigation of Tax-Evading Business Owners in Singapore
- Small Business Accounting Services in Singapore
- Company Audits in Singapore: Requirements and Exemptions
- Suspect a PDPA Data Breach? Here's What to Do Next
- Must You Notify PDPC About a Data Breach in Your Business?
- Data Room: Should Your Singapore Company Set Up One?
- Summary: Your Organisation's 10 Main PDPA Obligations
- Essential PDPA Compliance Guide for Singapore Businesses
- PDPA Consent Requirements: How Can Your Business Comply?
- Is It Legal for Businesses to Ask for Your NRIC in Singapore?
- Here's a 7-Step Plan for Companies to Prevent Unauthorised Disclosure When Processing and Sending Personal Data
- Cloud Storage of Personal Data: Your Business’ Data Protection Obligations
- GDPR Compliance in Singapore: Is it Required and How to Comply
- Appointing a Data Protection Officer For Your Business: All You Need to Know
- How Can Companies Dispose of Documents Containing Personal Data?
- Check the Do-Not-Call Registry Before Marketing to Singapore Phone Numbers
- How to Legally Install CCTVs for Home/Business Use in Singapore
- Is Web Scraping or Crawling Legal in Singapore?
- Legal Options If Employees Breach Confidentiality in Singapore
- Social Media Marketing: Legal Guide for Singapore Businesses
- Your Guide to E-commerce Website Terms of Service in Singapore
- Dealing with Defamation of Your Business: Can You Sue?
- Sending Email Newsletters That Comply With Singapore Law
- A legal guide to drafting a social media policy for your company
- Your Guide to a Media Release Form in Singapore
- Your Guide to an Influencer Marketing Agreement in Singapore
- Outdoor Advertising: How to Legally Display Public Ads in Singapore
- Applying for a Major Payment Institution Licence in Singapore
- Applying to the MAS FinTech Regulatory Sandbox
- Payment Services Act Licensing Guide for Fintech Businesses
- How to Get a Payment Service Provider Licence in Singapore
- Financial Adviser's Licence Guide for Singapore Businesses
- Capital Markets (CMS) Licence Requirements in Singapore
- How to Offer E-Wallet Services in Singapore: Licensing Guide
- Digital Payment Token Services Licence Guide in Singapore
- How to Legally Offer Crypto Services in Singapore
- How to Restore a Struck-Off Company in Singapore
- Claw-Back of Assets From Unfair Preference and Undervalued Transactions
- Should You Save or Close Your Zombie Company in Singapore?
- Voluntary Suspension of Business in Singapore: How to Handle
- Winding Up a Singapore Company: Grounds and Procedure
- Closing Your Singapore Business: What You Need to Settle
- Striking Off a Company
- Restoring a Company That was Struck Off Without You Knowing
- Dissolution of partnerships in Singapore
- What Should a Creditor Do When a Company Becomes Insolvent?
- How to File a Proof of Debt Against a Company in Liquidation
- Validation of Payments Made by Companies Being Wound Up