According to new rules from the Monetary Authority of Singapore, the country’s financial institutions have to report IT security incidents and system malfunctions to the regulator within 1 hour of the discovery, regardless of when the incident or malfunction occurs.
After the initial report is submitted, organizations must file a second report that analyzes the incident and details the root cause. This second report must be provided to the MAS within 14 days.
Financial institutions are required to establish a framework and process to identify critical systems such as ATMs, online banking, and systems that support payment, clearing or settlement functions.
Isolated ATM outages don’t have to be reported, but any security incident or malfunction with a severe and widespread impact on the company’s operations must be disclosed.
Distributed denial-of-service (DDOS) attacks must also be reported, even if no customer information is compromised.