Singapore's Monetary Authority of Singapore (MAS) has been unambiguous on this point: cyber hygiene for financial institutions is not optional. The MAS Cyber Hygiene Notice — formally referenced as MAS Notice 655 within the broader family of MAS technology risk notices (including 644, 655, and 1105) — is a legally binding regulatory instrument. Non-compliance carries real consequences: enforcement action, reputational damage, and in severe cases, risk to your financial institution's licence.
For CISOs and IT managers at Singapore financial institutions, the question is no longer "do we need to comply?" It's "are we actually compliant — and can we demonstrate it?" This article breaks down what MAS Notice 655 requires, what compliance looks like in practice, and where most Singapore FSPs fall short.
What Is MAS Notice 655?
MAS Notice 655 is part of MAS's Cyber Hygiene Notice framework (formalized as FSM-N06), which was issued on 6 August 2019. It applies to all financial institutions operating in Singapore — banks, insurers, capital markets firms, payment service providers, and licensed financial advisers — and mandates a baseline set of cybersecurity controls that every regulated entity must implement and maintain.
The Notice sits alongside the MAS Technology Risk Management (TRM) Guidelines (revised July 2025), which provide broader best-practice guidance. But where TRM is a guideline, the Cyber Hygiene Notice is a directive. MAS has enforcement authority and has demonstrated willingness to use it — the regulator has levied significant fines across multiple institutions in recent years for technology risk failures.
Unlike compliance frameworks that let you choose your own scope, MAS Notice 655 sets a floor. You must meet these controls. The question is how well you implement them.
The Five Key Requirements
The Cyber Hygiene Notice defines five core areas that all Singapore financial institutions must address:
MAS Notice 655 — Mandatory Controls
- Secure administrative accounts — Multi-factor authentication (MFA) must be enforced for all privileged and administrative accounts. Regular access reviews and strict privileged access management (PAM) are required.
- Timely patching — Security patches must be applied promptly and on a risk-based schedule. Critical vulnerabilities demand faster turnaround than routine updates.
- Malware protection — Endpoint detection and response (EDR) must be deployed on all endpoints, with centrally managed, auto-updated threat signatures.
- Network perimeter security — Firewalls, intrusion detection/prevention systems (IDS/IPS), and network segmentation must be in place and actively maintained to prevent unauthorized access.
- Security monitoring — Continuous monitoring of security events is mandatory. This means a SIEM platform or equivalent, with around-the-clock coverage to detect and respond to anomalies.
Each of these requirements sounds straightforward on paper. The challenge is implementation depth — MAS expects controls that actually work, not checkbox documentation.
Where Singapore FSPs Commonly Fall Short
After working with financial institutions across Singapore, from boutique payment service providers to mid-sized insurers, certain gaps appear repeatedly.
MFA adoption that isn't complete
Many organizations have enabled MFA for some admin accounts — usually those with direct cloud console access — but have overlooked legacy systems, on-premise servers, or vendor accounts. MAS expects coverage across all privileged accounts, not just the obvious ones.
Patch windows that are too wide
It's common to see patch cycles of 30 or 60 days applied uniformly across all systems. MAS's expectation is risk-based: critical vulnerabilities affecting internet-facing or financial systems should be patched within days, not weeks. Your patch management policy needs to reflect these tiers explicitly.
Security monitoring gaps overnight and on weekends
A SIEM that generates alerts nobody reads is not security monitoring — it's log storage. The Cyber Hygiene Notice expects that security events are actually reviewed and acted upon. Many smaller Singapore FSPs lack the internal headcount for 24/7 SOC coverage, which is precisely why managed security services exist.
Incomplete network segmentation
Firewalls are in place, but micro-segmentation between critical financial systems and the broader network is often missing. If an attacker compromises one system, poorly segmented networks allow lateral movement across your environment.
Practical Steps to Get Compliant
Compliance with MAS Notice 655 is achievable — it requires systematic effort, not heroics. Here's how to approach it:
- Conduct a gap assessment first. Map your current controls against each of the five requirements. Be honest about coverage gaps — that's what MAS inspections will expose anyway.
- Fix MFA immediately. It's the highest-visibility control, and it directly addresses the most common initial attack vector. Audit all privileged accounts and enforce MFA without exceptions.
- Establish a patch SLA by risk tier. Define and document your patching timelines: critical patches within 72 hours, high-severity within 7 days, medium within 30 days. Then automate where possible.
- Deploy EDR, not just antivirus. Legacy antivirus does not satisfy the spirit of the malware protection requirement. EDR with behavioral detection and central management is what MAS expects to see.
- Address your monitoring gap. If you cannot staff a 24/7 SOC internally, engage a managed SOC provider. The cost is a fraction of the regulatory and reputational risk of a missed incident.
- Generate audit-ready evidence. Compliance isn't just about having controls — it's about proving you have them. Maintain logs, reports, and documentation that can be produced during an MAS inspection.
There's also a broader regulatory context worth noting: from February 2026, MAS requires all financial institutions to submit incident reports via the MAS-Tx platform — the MAS Financial Institutions Transactions Platform. Your incident response procedures need to account for these mandatory reporting timelines.
How MAS Notice 655 Connects to MAS TRM
MAS Notice 655 (Cyber Hygiene) and the MAS TRM Guidelines operate together. The TRM Guidelines cover a wider scope — vendor risk management, board-level governance of technology risk, disaster recovery with mandated four-hour recovery time objectives for critical systems — while the Cyber Hygiene Notice focuses on the technical baseline every institution must meet.
The smart approach is to treat them as a unified programme rather than separate compliance exercises. A well-designed MAS TRM programme will satisfy the Cyber Hygiene Notice requirements as a subset, and the evidence you produce will serve both regulatory obligations simultaneously.
How Infinite Cybersecurity Helps
We work with Singapore financial institutions at every stage of the compliance journey — from initial gap assessment through to ongoing managed compliance operations. Our CREST-certified team understands MAS requirements not as a theoretical exercise, but as the practical reality your institution faces during inspections and enforcement reviews.
Our MAS TRM Starter Pack was designed specifically for Singapore FSPs — particularly payment service providers, fintechs, and smaller insurers who need comprehensive compliance without the overhead of a large internal security team. It covers VAPT, incident response planning, security awareness training, and active risk monitoring, all aligned to MAS expectations.
If you're unsure where your institution stands against MAS Notice 655, the right first step is a structured gap assessment — not guesswork.
Speak to a Singapore cybersecurity expert
Get a clear picture of where your institution stands against MAS Notice 655 — and a practical path to compliance.