MAS takes seriously all IT incidents, says Tharman

 MAS takes seriously all IT incidents, says Tharman

Mr Tharman said that the Monetary Authority of Singapore MAS takes seriously all IT incidents that affect the availability of digital banking services.

It requires banks to be able to recover systems supporting critical banking services such as fund transfers and payments services within four hours of any disruption. The total unscheduled downtime for each critical system must not exceed four hours within a 12 month period. The authority takes supervisory action if the banks don't meet these requirements, said Tharman.

In February 2022, MAS said that it had ordered DBS to appoint an independent expert to conduct a comprehensive review of the incident, including the bank's recovery actions.

The review also required DBS to assess how a similar incident could be prevented in future, said MAS.

The bank was directed to rectify all shortcomings identified in the review and implement measures to make sure that future disruption to its digital banking services is resolved quickly and effectively.

The bank was required to hold additional capital until all deficiencies identified in the review were corrected, according to MAS.

The recent incidents highlight the need for banks to review their IT resilience strategy, and ensure there is enough redundancy and fault tolerance built into their digital banking IT infrastructure, said Tharman on Tuesday.

In addition to that, a rapid diagnosis and recovery of systems and a robust business continuity management are critical in minimising the impact of an IT disruption. Tharman said that MAS has published a set of new business continuity management guidelines that set out measures that financial institutions can use to sustain critical business services and minimize service disruption.

Such measures include identifying the end-to- end dependencies across business processes, systems, manpower and other resources needed to deliver critical business services, and addressing gaps that could hinder the effective recovery of these services during an outage.

Tharman said that the monetary authority highlighted third-party risks such as public cloud computing services as a key area for financial institutions to focus on.

The Association of Banks in Singapore and the Bank for International Settlements are working together with the industry to identify the best practices to manage third-party risks, and the MAS has been working closely with the industry, global financial regulators and leading service providers.

The technology landscape that banks operate in is becoming more complex. In order to maintain stability and trust in the banking system, it is important that banks maintain and uplift the security and resiliency of their IT systems.

MAS will work closely with the industry in this regard.