MAS Incident Response Guidelines

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.

Situation: The Monetary Authority of Singapore (MAS) requires all Financial Institutions (FIs) to conduct cyber incident response and digital forensics upon a cyber breach and submit a technical incident and forensics report within 14 days.

Solution: Ensure compliance within the 14-day requirement by hiring Blackpanda via a Zero Cost Retainer, Pre-Paid Retainer, or a comprehensive cyber insurance policy with Blackpanda requested as part of the policy’s response panel.

– –

On January 18th, 2021, the Monetary Authority of Singapore (MAS) released its latest revision to The Notice on Technology Risk Management (TRM). Key to this update are the requirements to investigate and report certain cyber incidents to the MAS.

With Incident Response and Reporting now mandatory for compliance with MAS guidelines, Blackpanda has produced the following advisory content covering reporting requirements and the capabilities needed to support an investigation.

What capabilities are required to comply with the updated MAS Guidelines?

Financial institutions reporting an incident to the MAS must use the official Incident Reporting Template. The following sections of the Incident Reporting Template require access to professional cyber security and digital forensics expertise in order to adequately comply with reporting requirements.

Incident Details & Lost/Stolen Data

The MAS reporting template requires comprehensive details about the incident, including a full understanding of which systems or business areas have been affected as well as whether or not any customer data or sensitive information has been lost or stolen.

Blackpanda digital forensics and incident response specialists help determine the full scope of an incident and the true nature of an attack, using a range of forensics tools and techniques to identify signs of compromise across your entire environment.

Through our partnership with
DarkOwl, a leading and powerful darknet search tool, we also draw on extensive darknet resources, scanning, and analysis to augment our forensic investigation into the loss or exfiltration of sensitive data.

Detailed Root Cause Analysis & Remediation

Resolving the symptoms of an attack does not necessarily fix the vulnerabilities that lead to an attacker’s success. MAS requires financial institutions report the conclusive factors leading to the incident as well as any measures taken to mitigate damage and ensure a similar event does not reoccur.

Sophisticated attackers tend to obscure their movement and point of entry to maintain persistence in an environment. As such, root cause analysis requires an elevated level of digital forensics experience or specialization. Blackpanda digital forensics experts uncover the true source of a breach and provide the action items to prevent an identical attack from occurring.

Blackpanda provides detailed root cause analysis as part of a comprehensive report for every investigation, outlining methodology, all findings, and specific recommendations for remediation.

Detailed Chronological Order of Events

As part of the final report, MAS requires full chronological documentation of all actions taken by the institution, including escalation steps, approvals sought on measures to mitigate damages, stakeholder involvement, and the rationale for such decisions.

Blackpanda incident response specialists always provide a chronological order of events by analyzing available logs and evidence. Not only does this practice meet MAS requirements, but this also ensures decision-makers are armed with the precise timing of events that may provide insight on how to best harden security following the attack.

In addition to our comprehensive incident documentation and investigation reporting, we will also work with your team prior to an incident to develop the appropriate Incident Response Plans and Playbooks to minimize uncertainty in crisis and facilitate more efficient response.

Impact Assessment

The Incident Reporting Template also requires a comprehensive impact assessment of the incident. Impact includes (but is not limited to) business impact, stakeholder impact (including customers and partners), regulatory and legal impact, and reputational impact.

Blackpanda regularly works in conjunction with law firms and public relations partners, serving on some of the world’s most respected cyber insurance response panels. Our crisis management specialists will work alongside your business, legal, and public relations teams to determine the technological impact of the incident and provide a more accurate understanding of its consequences for all stakeholders involved.

How quickly must an institution respond under the updated MAS Guidelines?

Notification: 1 Hour

A Financial Institution must notify the MAS within 1 hour upon the discovery of the relevant incident, providing an initial understanding of the incident context.

The MAS (and Blackpanda) recommends all financial institutions develop and test an Incident Response Plan that clearly defines roles, responsibilities, thresholds, and communications protocols so that no compliance-related incident notification is delayed or slips through the cracks.

Incident Report: 14 Days

The full root-cause and impact analysis report must be submitted to the MAS within 14 days of the discovery of the relevant incident.

To ensure swift and professional incident response within the reporting compliance window, Blackpanda recommends FIs take advantage of Zero-Cost and Pre-Paid Incident Response Retainers. Retainers allow customers to pre-establish response terms and hourly rates prior to activation, saving valuable time and resources.

Alternatively, FIs may consider a comprehensive cyber insurance policy that covers not only digital forensics but also legal and public relations response fees, in addition to standard first and third-party losses.

For more information on Blackpanda incident response retainers or placing Blackpanda on your existing cyber insurance policy, visit our Incident Response Retainers page.

When is incident reporting required under the updated MAS Guidelines?

The TRM applies to financial institutions (FIs) in Singapore. FIs include (but are not limited to) all banks, licensed financial advisers, licensed insurers, registered insurance brokers, and recognized market operators incorporated in Singapore. (The full list of FIs subject to the Notice can be viewed here.)

According to the MAS, “An IT incident occurs when there is an unexpected disruption to the delivery of IT services or a security breach of an IT system, which compromises the confidentiality, integrity, and availability of data or the IT system.”

Financial institutions must report the incident to the MAS upon discovery if the incident has severe and widespread impact on its operations or materially impacts the FI’s service to its customers. Notably, reporting must occur even if no customer information was compromised, irrespective of when the malfunction or incident occurs.

Furthermore, the MAS recommends that financial institutions have the capability to respond to cyber incidents and recovery operations on-hand. Should there be a lack of capacity for these skills internally, the procurement of external assistance comparable to Blackpanda’s Incident Response Services is encouraged to conduct a thorough and expedited response to an ongoing breach.

Interested in speaking to a DFIR specialist? 

Additional Resources