.svg)
Banking and finance hubs Singapore and Hong Kong have simultaneously pushed for higher standards in the financial sector when it comes to cyber resilience.
Financial regulators in the two jurisdictions have unveiled a series of new measures aimed at strengthening cyber resilience across the banking and financial sectors, as digital threats grow in sophistication and complexity across borders.
In Singapore, the Monetary Authority of Singapore (MAS) convened its Cyber and Technology Resilience Experts (CTREX) Panel for the first time on April 16.
The panel, formed in August 2024, brings together international experts, including representatives from Microsoft, Google and HSBC, to assess emerging cyber and technology risks and issue recommendations for strategies that can improve the resilience of Singapore’s financial system.
At its inaugural meeting, the CTREX Panel called for a more service-centric approach to operational resilience.
It urged financial institutions to view service disruptions from the customer’s perspective, moving beyond scripted disaster recovery exercises by incorporating unscripted elements into drills to better simulate real-world crises.
The panel also emphasised that financial firms need to better manage supply chain and software risks by maintaining detailed inventories of their IT components and third-party dependencies.
Looking ahead to a post-quantum security environment, CTREX recommended that institutions begin inventorying their cryptographic systems in order to prioritise the replacement of those vulnerable to quantum attacks — an issue that has also been highlighted elsewhere, including by the European Payments Council.
It also raised concerns about the rising sophistication of digital financial scams, encouraging banks to deploy artificial intelligence (AI) tools for fraud detection, adopt phishing-resistant authentication, share intelligence across the industry and expand customer education efforts.
The risk from vendors
The importance of managing third-party risk was further reinforced by the MAS and the Cyber Security Agency of Singapore (CSA) in a joint letter responding to a commentary published in The Straits Times on April 14.
The agencies agreed with the view of the letter writer that vendors could become the weak link if not held to the same cybersecurity standards as financial institutions.
The MAS reiterated that all supervised entities are expected to have stringent controls in place when customer data is shared with external vendors, and to regularly assess the adequacy of these controls.
In the event of a breach involving a vendor, financial institutions must act quickly to limit harm and communicate clearly with affected customers.
The CSA encouraged vendors to adopt its Cyber Essentials and Cyber Trust marks, national certifications that demonstrate robust cybersecurity practices.
The agency is considering making these certifications mandatory for vendors bidding for sensitive government contracts, and is offering up to 70 percent co-funding to support eligible small and medium-sized enterprises (SMEs).
Through its CISO-as-a-Service scheme, the CSA is also helping companies align with these standards, and the letter underscored that cyber defence must extend across the full supply chain, not just within individual organisations.
DDoS attacks in HK
In Hong Kong, meanwhile, the Hong Kong Monetary Authority (HKMA) issued a circular to all authorised institutions on April 16, urging them to strengthen their defences against distributed denial-of-service (DDoS) attacks.
Although Hong Kong has so far had relatively few DDoS incidents, the HKMA pointed to isolated cases where customer services were disrupted, and warned that cross-border infrastructure dependencies can expose local operations to overseas threats.
The guidance highlighted that local management must be involved in incident response, particularly in situations where group headquarters might take drastic measures, such as suspending online banking services.
The HKMA urged banks to review their controls, adopt multi-layered defence strategies and conduct regular simulations to test how well they can respond to increasingly complex DDoS attack methods, which often involve combinations of volumetric, protocol and application-layer tactics.
The HKMA also cautioned against potential errors in crisis handling, such as poorly configured defences or unclear customer communications, which it warned could worsen the impact of an attack.
The regulator said it would continue monitoring cyber incident trends and provide further guidance to the industry, alongside enhancements to its Cyber Intelligence Sharing Platform, introduced in late 2024.
