MAS ramps up (re)insurers’ cyber risk regulation

July 27 2020 by InsuranceAsia News Staff

Financial regulator the Monetary Authority of Singapore (MAS) has announced it will expand its powers in overseeing (re)insurers and financial institutions pertaining to cyber risk management.

In a recently released consultation paper, the MAS stated that they “recognise the pervasive use of technology and growing sophistication of cyber threats.”

The MAS further proposed to increase the maximum penalty to S$1 million (US$721,000) should any (re)insurer or financial institution contravene the regulatory requirements for tech and cyber risk. 

(Re)insurers in Singapore currently adhere to two specific policies — the MAS’ Notice 127 on technology risk management, and Notice 132 on cyber hygiene.

Notice 127 was released in June 2013; and says licensed insurers in Singapore (except captive and marine mutual insurers) must have a framework in place and process to identify critical systems.

Insurers also must make “all reasonable effort to maintain high availability for critical systems,” ensuring that the maximum unscheduled downtime that affects its operations or customer service does not exceed four hours within any 12-month period.

Notice 132 was announced in August 2019; denoting that relevant entities should have a framework in place for — security standards, security patches, malware protection, multi-factor authentication, amongst more.

For more details on specific requirements for licensed (re)insurers, see the MAS official guidelines here. 

Current penalties for licensed (reinsurers) in case of breaching these requirements is a fine not exceeding S$100,000 (US$72,104). In the case of a continuing offence, a further fine can be imposed not exceeding S$10,000 (US$7,210) for every day or part thereof during which the offence continues after conviction.

There are corresponding requirements for other insurance intermediaries that are regulated by MAS.

Under the new proposals, the maximum penalty would be increased to a fine not exceeding S$1 million (US$721,00). In the case of continuing offence, a further fine can be imposed of S$100,000 (US$72,104) per day.

The stricter legislations come as markets worldwide grapple with the rise of digital — and the new cyber risks that come along with it.

MORE FROM: Legal/Regulatory