11 Cybersecurity Management
Cyber Risk Management
17 Such as Quick Response (QR) code, Bar Code, Near Field Communication (NFC), Radio Frequency
Identification (RFID), Wearables.
18 For example, in respect of QR payments, financial institutions shall implement safeguards within its
respective mobile applications to detect and mitigate risks relating to QR code that may contain malware
or links to phishing websites. Risk Management in Technology 26 of 67
Issued on: 1 June 2023 S 11.1 A financial institution must ensure that there is an enterprise -wide focus on
effective cyber risk management to reflect the collective responsibility of
business and technology lines for managing cyber risks.
S 11.2 A financial institution must develop a CRF which clearly articulates the
institution’s governance for managing cyber risks, its cyber resilience
objectives and its risk tolerance, with due regard to the evolving cyber threat environment. Objectives of the CRF shall include ensuring op erational
resilience against extreme but plausible cyber -attacks. The framework must be
able to support the effective identification, protection, detection, response, and recovery (IPDRR) of systems and data hosted on- premise or by third party
service prov iders from internal and external cyber -attacks.
S 11.3 The CRF must consist of, at a minimum, the following elements:
(a) development of an institutional understanding of the overall cyber risk context in relation to the financial institution’s business and operations, its exposure to cyber risks and current cybersecurity posture;
(b) identification, classification and prioritisation of critical systems,
information, assets and interconnectivity (with internal and external
parties) to obtain a complete and accurate view of the financial institution’s information assets, critical systems, interdependencies and cyber risk profile;
(c) identification of cybersecurity threats and countermeasures including
measures to contain reputational damage that can undermine confidence in the financial institution;
(d) layered (defense- in-depth) security controls to protect its data,
infrastructure and assets against evolving threats;
(e) timely detection of cybersecurity incidents through continuous
surveillance and monitoring;
(f) detailed incident handling policies and procedures and a crisis response management playbook to support the swift recovery from cyber -incidents
and contain any damage resulting from a cybersecurity breach; and
(g) policies and procedures for timely and secure information sharing and collaboration with other financial institutions and participants in financial market infrastructure to strengthen cyber resilience.
S 11.4 In addition to the requirements in paragraph 11.3, a large financial institution
is required to—
(a) implement a centralised automated tracking system to manage its
technology asset inventory; and
(b) establish a dedicated in- house cyber risk management function to manage
cyber risks or emerging cyber threats. The cyber risk management
function s hall be responsible for the following:
(i) perform detailed analysis on cyber threats, provide risk assessments on potential cyber -attacks and ensure timely review and escalation
of all high- risk cyber threats to senior management and the board;
and
(ii) proactivel y identify potential vulnerabilities including those arising
from infrastructure hosted with third party service providers through Risk Management in Technology 27 of 67
Issued on: 1 June 2023 the simulation of sophisticated “Red Team” attacks on its current
security controls.
Cybersecurity Operations
S 11.5 A financial institution must establish clear responsibilities for cybersecurity
operations which shall include implementing appropriate mitigating measures in the financial institution’s conduct of business that correspond to the following phases of the c yber-attack lifecycle:
(a) reconnaissance;
(b) weaponisation;
(c) delivery;
(d) exploitation;
(e) installation;
(f) command and control; and
(g) exfiltration.
G 11.6 Where relevant, a financial institution should adopt the control measures on
cybersecurity as specified in Appendix 5 to enhance its resilience to cyber –
attacks.
S 11.7 A financial institution must deploy effective tools to support the continuous and
proactive monitoring and timely detection of anomalous activities in its
technology infrastructure. The scope of m onitoring must cover all critical
systems including the supporting infrastructure.
S 11.8 A financial institution must ensure that its cybersecurity operations
continuously prevent and detect any potential compromise of its security controls or weakening of its security posture. For large financial institutions,
this must include performing a quarterly vulnerability assessment of external and internal network components that support all critical systems.
S 11.9 A financial institution must conduct annual intelligence -led penetration tests on
its internal and external network infrastructure as well as critical systems including web, mobile and all external -facing applications. The penetration
testing shall reflect extreme but plausible cyber -attack scenarios based on
emerging and evolving threat scenarios. A financial institution must engage suitably accredited penetration testers and service providers to perform this function.
S 11.10 In addition to the requirement in paragraph 11.9, a large financial institution
must undertake independent compromise assessments on the technology infrastructure of its critical systems at least annually and ensure the results of such assessments are escalated to senior management and the board in a timely manner.
S 11.11 A financial institution must establish standard operating procedures (SOP) for
vulnerability assessment and penetration testing (VAPT) activities. The SOP
must outline the relevant control measures including ensuring the external Risk Management in Technology 28 of 67
Issued on: 1 June 2023 penetration testers are ac companied on -premises at all times, validating the
event logs and ensuring data purging.
S 11.12 A financial institution must ensure the outcome of the penetration testing
exercise is properly documented and escalated in a timely manner to senior
management t o identify and monitor the implementation of relevant remedial
actions.
Distributed Denial of Service (DDoS)
S 11.13 A financial institution must ensure its technology systems and infrastructure,
including critical systems outsourced to or hosted by third party service
providers, are adequately protected against all types of DDoS attacks
(including volumetric, protocol and application layer attacks) through the
following measures:
(a) subscribing to DDoS mitigation services, which include automatic ‘clean
pipe’ services to filter and divert any potential malicious traffic away from the network bandwidth;
(b) regularly assessing the capability of the provider to expand network bandwidth on- demand including upstream provider capability, adequacy
of the provider’ s incident response plan and its responsiveness to an
attack; and
(c) implementing mechanisms to mitigate against Domain Name Server (DNS) based layer attacks.
Data Loss Prevention (DLP)
S 11.14 A financial institution must establish a clear DLP strategy and processes in
order to ensure that proprietary and customer and counterparty information is
identified, classified and secured. At a minimum, a financial institution must –
(a) ensure that data owners are accountable and responsible for identifying and appropriately classifying data;
(b) undertake a data discovery process prior to the development of a data classification scheme and data inventory; and
(c) ensure that data accessible by third parties is clearly identified and policies must be implemented to safeguard and control third party access.
This includes adequate contractual agreements to protect the interests of
the financial institution and its customers.
S 11.15 A financial institution must design internal control procedures and implement
appropriate technology in all applications and access points to enforce DLP
policies and trigger any policy violations. The technology deployed must cover
the following:
(a) data in- use – data being processed by IT resources;
(b) data in- motion – data being transmitted on the network; and
(c) data at -rest – data stored in storage mediums such as servers, backup
media and databases.
Risk Management in Technology 29 of 67
Issued on: 1 June 2023 S 11.16 A financial institution must implement appropriate policies for the removal of
data on technology equipment, mobile devices or storage media to prevent
unauthorised access to data.
Security Operations Centre (SOC)
S 11.17 A financial institution must ensure its SOC, whether managed in -house or by
third party service providers, has adequate capabilities for proactive
monit oring of its technology security posture. This shall enable the financial
institution to detect anomalous user or network activities, flag potential
breaches and establish the appropriate response supported by skilled
resources based on the level of complexity of the alerts. The outcome of the
SOC activities shall also inform the financial institution’s reviews of its
cybersecurity posture and strategy.
S 11.18 The SOC must be able to perform the following functions:
(a) log collection and the implementation of an event correlation engine with
parameter -driven use cases such as Security Information and Event
Management (SIEM);
(b) incident coordination and response;
(c) vulnerability management;
(d) threat hunting;
(e) remediation functi ons including the ability to perform forensic artifact
handling, malware and implant analysis; and
(f) provision of situational awareness to detect adversaries and threats including threat intelligence analysis and operations and monitoring
indicators of compromise (IOC). This includes advanced behavioural analysis to detect signature- less and file -less malware and to identify
anomalies that may pose security threats including at endpoints and network layers.
S 11.19 A financial institution must ensure that the SOC provides a regular threat
assessment report, which shall include, at a minimum, the following:
(a) trends and statistics of cyber events and incidents categorised by type of attacks, target and source IP addresses , location of data centres and
criticality of applications; and
(b) intelligence on emerging and potential threats including tactics,
techniques and procedures (TTP).
For large financial institutions, such reports shall be provided on a monthly basis.
S 11.20 A financial institution must subscribe to reputable threat intelligence services
to identify emerging cyber threats, uncover new cyber -attack techniques and
support the implementation of countermeasures.
S 11.21 A financial institution must ensure the following :
(a) the SOC is located in a physically secure environment with proper access controls;
(b) the SOC operates on a 24×7 basis with disaster recovery capability to
ensure continuous availability; and Risk Management in Technology 30 of 67
Issued on: 1 June 2023 (c) the SOC has a holistic and end -to-end view of the financial institution’s
infrastructure including internal and external facing perimeters.
Cyber Response and Recovery
S 11.22 A financial institution must establish comprehensive cyber crisis management
policies and procedures that incorporate cyber -attack scenarios and
responses in the organisation’s overall crisis management plan, escalation
processes, business continuity and disaster recovery planning. This includes developing a clear communication plan for engaging shareholders, regulatory authorities, customers and employees in the event of a cyber -incident.
S 11.23 A financial institution must establish and implement a comprehensive Cyber
Incident Response Plan (CIRP). The CIRP must address the following:
(a) Preparedness
Establish a clear governance process, reporting structure and roles and
responsibilities of the Cyber Emergency Response Team (CERT) as well as invocation and escalation procedures in the event of an incident;
(b) Detection and analysis
Ensure effective and expedient processes for identifying points of
compromise, assessing the extent of damage and preserving sufficient evidence for forensics purposes;
(c) Containment, eradication and recovery
Identify and implement remedial actions to prevent or minimise damage to the fi nancial institution, remove the known threats and resume business
activities; and
(d) Post -incident activity
Conduct post -incident review incorporating lessons learned and develop
long- term risk mitigations.
S 11.24 A financial institution must ensure that relevant CERT members are
conversant with the incident response plan and handling procedures and
remain contactable at all times. A key contact person or an alternate must be appointed to liaise with the Bank during an incident.
S 11.25 A financial institution must conduct an annual cyber drill exercise to test the
effectiveness of its CIRP, based on various current and emerging threat scenarios (e.g. social engineering), with the involvement of key stakeholders including members of the board, senior management and relevant third party service providers. The test scenarios must include scenarios designed to test:
(a) the effectiveness of escalation, communication and decision- making
processes that correspond to different impact levels of a cyber -incident;
and
(b) the readiness and effectiveness of CERT and relevant third party service providers in supporting the recovery process.
Risk Management in Technology 31 of 67
Issued on: 1 June 2023 S 11.26 A financial institution must immediately notify the Bank of any cyber -incidents
affecting the institution. Upon completion of the investigation, the financial
institution is also required to submit a report on the incident through ORION19.
G 11.27 Financial institutions are strongly encouraged to collaborate and cooperate
closely with relevant stakeholders and competent authorities in combating
cyber threats and sharing threat intelligence and mitigation measures.