Thursday, July 30, 2015

Cyber Security Preparedness

In this advanced cyber age, information technology ("IT") risks need to be effectively managed in order to protect data and prevent unauthorised access to systems and infrastructure. An increasing number of cases of data security breaches have been observed in recent times, as evident in Japan, the U.S. and even Singapore in the past year. The consequences of such incidents are severe, resulting in the compromise of the personal and financial information of millions of individuals.

Regulators have highlighted the need to raise awareness on IT risks and firms are urged to enhance their cyber security. In particular, in South Korea, financial regulators have announced measures to encourage financial firms to strengthen their information security and internal control voluntarily. There will be new guidelines on internal IT audits as well as programs to train internal IT auditors at smaller firms which lack IT audit capabilities. In addition to that, common standards to foster the sharing of information on fraudulent transactions and a fraud detection data sharing platform will be established.

Hong Kong's Securities and Futures Commission ("SFC") has highlighted major deficiencies in licensed corporations ("LCs") pertaining to IT risks. The SFC found that LCs lacked formal IT management policies and lacked proper monitoring procedures. There was a lack of comprehensive assessment of IT systems and IT security awareness training for staff and clients were not adequate. The network infrastructure of LCs in general were poorly designed and did not safeguard the confidentiality and integrity of information stored in the internet trading systems as well as the information passed between internal and external networks. The SFC also found that LCs have inadequate controls to monitor abnormal user activities and had insufficient backup facilities. In addition, contingency plans were rarely tested to ensure that they are adequate and suitable. There was also a lack of incident reporting with regards to system delays or failures.

On the other hand, the U.S. will have in place a new sanctions program to penalize individuals, businesses and governments who engage in activities in cyberspace that undermine the country’s security and financial stability. The sanctions target cyber-attacks that compromise vital infrastructure, reveal trade secrets and sensitive information. Singapore has also set up a Cyber Security Agency (“CSA”) to protect national systems from the increasing cyber threats. The CSA will promote awareness and strengthen cyber security in the critical sectors such as in the banking and energy industries. Furthermore, the CSA will ensure effective coordination and deployment in response to cyber threats. In addition, the Monetary Authority of Singapore (“MAS”) has recently announced the formation of a new FinTech & Innovation Group (FTIG) in order to better manage risks, enhance efficiency, and strengthen the competitiveness in the financial sector.

Under the Notices and Guidelines on Technology Risk Management (“TRM”) issued by the MAS, financial institutions are required to review their technology systems and processes and evaluate how to effectively implement adequate technology risk measures in order to protect their IT. For more information in this regard see the previous posting by Maroon’s IT security partner Workplace Consulting.

No comments:

Post a Comment