By Tim Percival - VP of Cyber, APAC & Anthony Long - Managing Principal Security Consultant

This month, the Saudi Arabia central bank has announced plans to incorporate open banking into their financial infrastructure. This move is set bring about many new opportunities as the Kingdom changes direction from their usual path of stability. The new plans will enable increased data-sharing, allowing customers and businesses to have more control over their finances and access bespoke financial services. 

With Singapore having already began to adopt open banking technology around 2016, it’s clear that Asia’s financial market is wasting no time when it comes to the latest technological advancements. Yet, with this adoption comes increased cyber-risks, rendering regulatory authorities all the more critical in stabilising the market.

In part four of the ‘Global Regulatory Frameworks Compared series, we’ll look at AASE – the cybersecurity guidelines created for the Singapore market by ABS (The Association of Banks in Singapore).

Singapore’s approach to financial regulation – AASE

Singapore is slightly different to the other geographies we have covered in the series. Their regulatory framework; AASE or Adversarial Attack Simulation Exercises, were written by a not for profit agency, ABS, as a set of guidelines, as opposed to other frameworks that are created and enforced by the regulators.

Right now, AASE is a guideline that banks can choose to opt in or opt out of, depending on their risk appetite. If a bank decides it would rather focus on other attack vectors or align to other regulatory requirements, such as CBEST or iCAST, then that is at the discretion of the organisation.

AASE is designed to test the robustness of Singapore financial institutions’ cyber defences and identify gaps in their people, processes and technologies. It provides a strong focus on the Simulated Testing aspects, whilst keeping the Threat Intelligence and assessment of response optional and less defined. For example, the use of internal resources to deliver these aspects is welcomed – or may even be done as part of the testing engagement itself. Whilst this is acceptable, further consideration should be given to ensure that third party intelligence providers, such as ones on the CREST website, should be used to ensure that the most relevant threat intelligence is being gathered.

AASE Regulatory Framework Objectives

The AASE framework was specifically created to regulate and improve Singapore’s financial sector and defines the use of red team testing within financial institutions. However, it can also be applied to a number of other sectors.

The objectives of the AASE framework are as follows –

1. To enable businesses to assess their organisational resilience against adversarial attack techniques, tactics and procedures.
2. To identify weaknesses in security controls and associated risks not detected by standard vulnerability and security testing methodologies.
3. To enable businesses to assess the FI’s security incident management and/or crisis management response and processes.
4. To provide a safe, controlled opportunity to identify and enhance the security posture of an FI reducing risk of cyber compromise.
5. To provide an opportunity for the Defensive teams, such as the Security Monitoring or Incident Response team to gain experience and be more proficient in detecting and responding to incidents.
6. To provide pragmatic direction to the involved stakeholders as well as confidence in an informed post-activity short, medium and long-term security strategy.

How does AASE compare to other regulatory frameworks?

The table below provides an overview of the main characteristics of the four frameworks driven by regulators (CBEST, TIBER-EU, and iCAST) and the Red Teaming approach put forward by ABS in Singapore. For the purpose of this post, we are focusing on AASE in relation to the other frameworks.

What is the current status of the AASE framework?

Current Status: Large focus on simulated testing.

1. Large focus on red team testing;
2. Optional elements around threat intelligence with viewpoints being provided from within the organisation, if chosen;
3. Well defined red team process and gives some elements of technical methodology, but is almost too prescriptive in places;
4. Defined report structures (x8) set out that probably need to be reviewed once the scheme is formally in place;
5. AASE is designed to be a set of guidelines to be referred to when conducting red team exercises, rather than a regulators framework to be followed.

How can Nettitude help?

Although AASE is a framework as opposed to regulation, Nettitude are able to provide full spectrum services that align with AASE requirements. Whether it’s delivering CBEST, STAR-FS, GBEST, TBEST, TIBER, iCAST, FEER, CORIE or AASE, Nettitude’s team are well placed to help organisations to deliver an end-to-end engagement, including Threat Intelligence and Red Teaming combined.

For more information on approaching iCAST, get in touch with your local Nettitude team.

Download the full whitepaper here.

Acronym Guide 

• CBEST - Financial UK
• GBEST – UK Government
• TBEST – UK Telcos
• STAR-FS (Simulated Target Attack & Response – Financial Services) – UK Financial
• STAR (Simulated Target Attack & Response)
• iCAST (Intelligence-led Cyber Attack Simulation Testing) – Hong Kong
• AASE (Adversarial Attack Simulation Exercise) - Singapore
• TIBER (Threat Intelligence-based Ethical Red Teaming) - Europe
• FEER (Financial Entities Ethical Red-Teaming) – Saudi Arabia
• CORIE (Cyber Operational Resilience Intelligence-led Exercises) – Australia

Previously in the blog Series:

Edition No.1 - A comparison of global regulatory frameworks – CBEST

Edition No.2 - A comparison of global regulatory frameworks – TIBER-EU

Edition No.3 - A comparison of global regulatory frameworks - iCAST

Edition No.4 - A comparison of global regulatory frameworks – AASE

Upcoming in the blog Series:

Edition No.5 - A comparison of global regulatory frameworks – a roundup of CBEST, TIBER-EU, iCAST and AASE.