Although the rapid digitalisation of the city state’s economy is creating new growth opportunities, it is also throwing up an increasing number of cybersecurity challenges for both the government and financial sector to overcome.
The country’s Cyber Security Agency (CSA) revealed in its third annual Cyber Landscape report in June that 90% of the fake – or spoofed – websites detected last year imitated banking and financial services, technology or file hosting companies. The CSA observed 16,100 phishing URLs with a Singapore-link in 2018, up from 2,500 such sites in 2016.
The number of recorded business e-mail impersonation scams – where attackers use spoofed business e-mail accounts to trick companies into following bogus instructions – rose from 257 in 2016 to 378 in 2018.
In response, Singaporean authorities have introduced initiatives to deepen cybersecurity co-operation with neighbouring countries, such as the ASEAN-Singapore Cybersecurity Centre of Excellence (ASCCE) in October, as well as a number of legally binding requirements for local financial institutions.
|This is the first feature in our ‘Cybersecurity Asia – Facing the threats’ series
> Sign up to receive our feature articles as they are released
Securing against cyberattacks
As part of Singapore’s Smart Nation vision, the government aims to turn the city into an e-payments society. To this end, the Monetary Authority of Singapore (MAS), the central bank and financial regulator, created the Project Ubin and Payments Council initiatives to collaborate with industry leaders.
Singapore is also expected to announce in 2020 details of a single platform that will allow consumers to aggregate account information from various financial institutions and share the consolidated data between organisations.
Despite these initiatives, the city’s FinTech sector continues to be exposed to cyber threats such as data theft, fraud and malware attacks. Such cyber threats led to the introduction of the Cybersecurity Act 2018, which created a regulatory framework for the monitoring and reporting of attacks.
Moreover, MAS issued in August a set of legally binding rules that more than 1,600 licensed financial institutions must adopt to secure their systems against cyberattacks. Known as the Cyber Hygiene Notices, the requirements focus on critical system recovery, customer data protection and incident reporting.
Ezra Tay, general counsel for invoice financing platform Capital Match, interviewed in October 2019, noted that such legislation was important for the sector, as it created a baseline from which companies could evolve their cybersecurity strategies.
“While it depends on the individual financial product, with differing products having varying levels of risk, legislation creates an important benchmark for the sector. The majority of Capital Match’s business is not MAS-regulated, but we believe it is beneficial to standardise cybersecurity measures across our entire platform,” Tay said.
Compliance does not equal safety. Meeting the legislation’s requirements is the absolute bare minimum for the sector.”
Kian Teck Soh, CTO for international payment provider QFPay, said that while the Cyber Hygiene Notices forced companies to become more cybersecurity conscious, achieving compliance should just be the start of the security process. “Compliance does not equal safety. Meeting the legislation’s requirements is the absolute bare minimum for the sector,” Soh said.
When the Payment Services Act comes into force in 2020, you should see an industry-wide rise in cyber readiness standards."
Chia Ling Koh, managing director of the Singapore-based OC Queen Street, said the government understood this need for greater cybersecurity preparedness. He said: “Many of the MAS rules are formulated to strengthen the FinTech company’s systems and processes against cyberattacks. When the Payment Services Act comes into force in 2020, you should see an industry-wide rise in cyber readiness standards.”
Legislation shouldn’t be too prescriptive; it needs to be tech agnostic. Singapore is getting this right."
The rapid pace of technological change, however, has repeatedly left legislators across the globe struggling to draw up rulesets that can adapt. As such, Singapore’s focus on collaboration and innovation in the cybersecurity space – rather than solely relying on legislation alone – is a step in the right direction.
Prabhakaran Janarthanan, the head of international bank UBS’ data protection legal team, praised Singapore’s adoption of a principle-based approach that addressed the broader cybersecurity framework.“Nobody wants to be attacked and governments are better served trying to work with companies. Legislation shouldn’t be too prescriptive; it needs to be tech agnostic. Singapore is getting this right,” he said.
As with most cyber-conscious companies, the international bank has found those attacks focusing on its staff to be one of its biggest vulnerabilities.
Targeted social engineering attacks against an individual can be very hard to defend against."
“Targeted social engineering attacks against an individual can be very hard to defend against,” Janarthanan said, adding: “We’ve invested significantly in defending against cyber-assaults that target our IT infrastructure, but when it comes to attacks targeting an individual it boils down to how closely that person follows their training.”
UBS has established training programmes focused on identifying phishing attacks and regularly conducts internal probes to simulate real-word attacks. The bank also trains employees to send any suspicious messages directly to the bank’s cybersecurity team for analysis. Janarthanan said: “It’s all about raising awareness and positively reinforcing the need for added vigilance.”
In addition to socially engineered attacks, similar to other organisations, ransomware attacks are also another area of concern for the bank. The company has invested extensively to address these threats and is working closely with international law enforcement agencies as well as national regulatory bodies to build a comprehensive cyber defence.
These concerns are echoed by QFPay’s Soh, who said phishing represented the “biggest danger” to his company. He added that while most of the company’s systems were cloud-based, protected by server-side security, there was always the risk that a successful phishing attack targeting employees could open up a backdoor.
Educate, educate, educate; it’s the only way. We are constantly assessing our staff through fake email exercises. It’s not something we’ll ever stop doing, because we need everyone to be aware of the risks such emails pose.”
Asked how QFPay was addressing these concerns, Soh said: “Educate, educate, educate; it’s the only way. We are constantly assessing our staff through fake email exercises. It’s not something we’ll ever stop doing, because we need everyone to be aware of the risks such emails pose.”
Gene Yu, co-founder and CEO of Blackpanda, said it was impossible to achieve 100% impenetrable cybersecurity, “no matter how much we invest in cybersecurity tools or services”. He added: “Playing defence is very difficult. Bad actors only need to get it right once, while the defence must anticipate any and all methods of attack.”
This is why, he said, companies are turning to cyber incident response firms. “In the same way a neighborhood requires access to emergency police, fire, or medical services regardless of individual homes’ security and preparedness, individual firms deserve the same level of service on stand-by for cyber emergencies.”
A multifaceted approach
Cyberattacks are an increasing part of the fabric of modern society and, while governments can introduce legislation to protect their citizens, much of the work needs to focus on generating greater awareness at an individual level.
The reality is that individuals tend to be overly relaxed when it comes to security.”
Capital Match’s Tay noted that FinTech companies were naturally security conscious simply because “data is a modern-day currency”. However, he added: “The reality is that individuals tend to be overly relaxed when it comes to security.” Tay said the consequences of a major data breach were rarely felt at a personal level, which led to complacency and created vulnerabilities that criminals could exploit.
Singapore’s collaborative approach, with other governments as well as industry, highlights the city state’s understanding that a multifaceted approach is needed to counter cyber threats. Legislation should be just the starting point for the country’s FinTech sector and, as interconnectivity expands, greater sector collaboration as well as more comprehensive staff training will be the order of the day.
This is the first feature in our 'Cybersecurity Asia - Facing the threats' series looking at cyber and data security issues around Asia. Over the course of successive quarters we will be releasing a series of features, each focusing on a specific Asian territory.