Under the Financial Services and Markets Bill the maximum fine would be raised to $1m per breach

Financial institutions could face higher penalties for a cyber attack or disruption to essential services if a new Bill is passed by the Singapore Parliament.

Monetary Authority of Singapore (MAS) board member Alvin Tan told Parliament during the second reading of the Financial Services and Markets Bill (FSM) that current deterrents do not go far enough.

”The current maximum penalties that can be imposed for breaches of technology risk management (TRM) requirements are not commensurate with the potential widespread impact to FIs’ customers and the financial industry that could result from such breaches.

”With the passing of the FSM Bill, the maximum penalty for each breach of a TRM requirement will be raised to $1 million per breach.

“A technology event which impacts an FI’s customers or other industry participants could involve breaches of several TRM requirements. 

“This means that an FI could face a much higher than $1m financial penalty for a serious cyberattack or disruption to essential financial service where multiple breaches of TRM requirements are established.”

The decision to raise the penalties for financial institutions that fail to adequately protect sensitive information is intended to reflect the critical importance of technology risk management to the operations of financial institutions and the sound functioning of the financial system.

”The quantum was derived after considering existing penalty regimes of other jurisdictions and Singapore Government agencies,” said Tan.

“For example, a contravention of the relevant provisions in the Telecommunications Act and Personal Data Protection Act can attract a financial penalty of $1m. In Hong Kong, a breach of data protection requirements can result in a financial penalty of HKD$1m,” he continued.

“In addition to the penalty imposed for a breach of TRM requirements, MAS is empowered to take other supervisory actions, such as requiring FIs to set aside additional regulatory capital until MAS is satisfied that adequate technology risk control measures have been put in place to address deficiencies.”