When attending a PWC Singapore meeting on new MAS guideline, there are many questions in my head regarding how the 1 hour incident reporting requirement could be fulfilled.
The requirement requires banks operating in Singapore to report to MAS within one hour when relevant incident ( security breaches and malfunction) is discovered.
There are a few levels of complexity. One is boundary of application issue. The other is SLA issue.
Most international bank system are located in multiple time zone. Trading system maybe in London and centrally managed. Singapore application is running side by side with other regions applications. If only Japan application is under attack, shall MAS be informed taking the consideration that the affected JP application is running on same hardware platform as SG? If yes, MAS will be a central info hub of security incident globally. Also with time zone issue, international banks in Singapore will need to respond global incidents and be able to decide if the incident happening in London should be reported to MAS, not to mention the one hour requirement.
Systems are no longer running localized version. Virtualization and cost saving already change the old system to centralized and shared platforms. A clear boundary could not be easily draw when a component is affected.
I believe this question is already considered by relevant parties and MAS. One possible solution is focus on whether the remote incident materially impact Singapore operation. There should be some mutual understanding between regulator and banks on how to limited the catch all possibility of incident reporting requirement. Will talk about SLA later