The Logging Gap That Costs Businesses Dearly
When a Singapore business suffers a data breach, the first questions regulators ask are not what happened — they want to know whether the organisation can prove what happened. Who accessed which systems, when, and from where. Whether anomalous activity was detectable in advance. What the sequence of events was, and when the business first had the information to act.
Without comprehensive security logs and audit trails, these questions cannot be answered. And the inability to answer them — not just the breach itself — is what drives the most significant regulatory findings under both the MAS Technology Risk Management (TRM) Guidelines and the Personal Data Protection Act (PDPA). Singapore businesses that treat logging as an afterthought are not just operationally blind. They are exposed to regulatory consequences that could have been avoided.
This guide covers what Singapore CISOs and IT managers need to know about building and maintaining security logging infrastructure that satisfies MAS TRM, PDPA obligations, and the evidentiary requirements of incident response.
What MAS TRM and PDPA Actually Require
Both frameworks impose explicit logging and audit trail requirements — but they are often poorly understood in practice.
MAS TRM Guidelines
The MAS Technology Risk Management Guidelines require financial institutions to implement audit logging for all privileged and sensitive system activities. Specific requirements include:
- Privileged user activity logging — All actions by system administrators, database administrators, and other privileged accounts must be logged, including commands executed, files accessed, and configuration changes made.
- Access and authentication logs — Successful and failed login attempts, multi-factor authentication events, session initiation and termination, and remote access connections.
- System and application event logs — Security-relevant application events, system errors, and configuration changes across critical systems.
- Log integrity — Logs must be protected from tampering. Write-once storage, cryptographic integrity verification, or forwarding to an independent log management platform are all accepted approaches.
- Log retention — MAS TRM requires logs to be retained for a minimum of 5 years for regulated financial institutions, with at least 1 year accessible online for rapid investigation.
PDPA Breach Notification and Investigation Requirements
Under the PDPA mandatory breach notification regime, organisations have 3 calendar days to notify the Personal Data Protection Commission (PDPC) of a notifiable data breach. Conducting a credible investigation within that window — determining what personal data was affected, which systems were compromised, and the likely cause — is impossible without pre-existing log infrastructure.
The PDPC has also published guidance making clear that organisations should maintain logs sufficient to support forensic investigation of incidents involving personal data. The absence of logs is treated as an aggravating factor in enforcement decisions, not simply a technical gap.
Regulatory Reality
Logging gaps compound your regulatory exposure.
Under PDPA, failing to detect a breach promptly due to absent logging can increase the assessed harm — because the organisation could not contain the incident quickly. Under MAS TRM, absent or inadequate logs are a direct finding that triggers remediation timelines. Both regulators treat logging as a baseline expectation, not an advanced control.
What Singapore Businesses Should Be Logging
Effective security logging covers five core categories. Many Singapore SMEs log some of these but not all — and the gaps are consistently where incidents go undetected.
1. Authentication and Identity Events
Log every login attempt — successful and failed — across all systems: Windows Active Directory, cloud platforms (Microsoft 365, AWS, Google Workspace), VPN gateways, and business applications. Include the source IP, timestamp, account name, and authentication method. Failed login spikes are among the earliest indicators of credential stuffing and brute-force attacks.
2. Privileged Access and Administrative Activity
Every action taken by a privileged account — creating or deleting user accounts, modifying firewall rules, accessing database records, running administrative commands — must be logged with full context. This is the highest-value category for both security operations and regulatory audit. MAS TRM examiners specifically look for evidence that privileged activity is logged and reviewed.
3. Data Access and Exfiltration Indicators
Log access to sensitive data repositories: file servers, databases containing personal data, cloud storage buckets, and document management systems. Pay particular attention to bulk download events, access outside normal business hours, and access from unusual locations or devices. These patterns are the primary indicators of data exfiltration — whether by external attackers or insider threats.
4. Network and Perimeter Activity
Firewall logs, DNS query logs, proxy logs for outbound web traffic, and VPN connection logs collectively form the network visibility layer. Connections to known malicious domains, unusual outbound data volumes, and lateral movement between internal network segments all surface in network logs first.
5. System and Configuration Changes
Log all changes to system configurations, security policies, software installations, and scheduled tasks. Attackers who achieve initial access frequently modify system configurations to establish persistence — and these changes are detectable if change logging is active. MAS TRM requires evidence that change management processes are logged and auditable.
Practical Steps to Build a Compliant Logging Programme
Step 1 — Inventory Your Log Sources
Map every system that should be generating logs: endpoints, servers, network devices, cloud platforms, SaaS applications, and business systems. Identify which are currently logging, what they are logging, and where logs are being stored. Most Singapore businesses find significant gaps in cloud application logging and SaaS platform coverage.
Step 2 — Centralise and Protect Log Storage
Logs stored only on the system that generated them are vulnerable to deletion by an attacker who has compromised that system. Forward logs to a centralised Security Information and Event Management (SIEM) platform or a dedicated log management service. Implement write-protection and access controls so that only authorised personnel can access the log repository, and no one can delete logs without a documented process.
Step 3 — Define and Enforce Retention Periods
For MAS-regulated entities: 5 years total retention, minimum 1 year online. For PDPA-compliant organisations: retain logs long enough to support investigation of the oldest plausible breach — at minimum 12 months, preferably 24 months for organisations handling significant personal data volumes. Automate retention enforcement so logs are neither deleted too early nor retained indefinitely at unnecessary cost.
Step 4 — Build Detection Rules, Not Just Storage
Logs that are collected but never reviewed provide little security value. Implement detection rules for high-priority scenarios: multiple failed logins followed by success, privileged account activity outside business hours, large data downloads from sensitive repositories, and new administrative accounts created. Even basic alerting on these patterns provides meaningful detection capability.
Step 5 — Test Log Coverage in VAPT Engagements
Include log coverage testing as part of your annual penetration testing programme. A CREST-accredited VAPT provider can simulate attacker behaviour and verify whether your logging infrastructure would have detected each stage of the attack — giving you concrete evidence of logging gaps before a real incident exposes them.
How Infinite Cybersecurity Helps Singapore Businesses
Infinite Cybersecurity works with Singapore financial institutions, fintechs, and regulated businesses to design and implement logging programmes that satisfy MAS TRM, PDPA, and ISO 27001 requirements — and that provide genuine operational security value rather than just regulatory checkboxes.
Our services in this area include:
- Log Coverage Assessment — A structured review of your current log sources, coverage gaps, retention periods, and integrity controls against MAS TRM and PDPA requirements. We identify exactly what is missing and what the regulatory risk of each gap is.
- SIEM Implementation and Tuning — We design and implement centralised log management and SIEM platforms sized for your environment, with detection rules tuned to the Singapore threat landscape and regulatory requirements.
- MAS TRM and ISO 27001 Gap Assessment — For financial institutions preparing for MAS TRM examinations or ISO 27001 certification, we conduct structured gap assessments that include logging and monitoring as a core domain.
- VAPT with Log Coverage Testing — Our CREST-accredited penetration testing engagements can include explicit testing of your logging and detection capability, validating whether your current infrastructure would detect a real attacker.
- Virtual CISO (CISOaaS) — Retained security leadership that includes oversight of your logging programme, regular log review, and representation to regulators and auditors on your monitoring and detection posture.
Every engagement is scoped to your regulatory obligations and current maturity. Whether you are building logging infrastructure from scratch or preparing for a MAS examination, we provide practical guidance backed by CREST accreditation and deep Singapore regulatory experience.
Ready to Close Your Logging Gaps?
Contact our Singapore cybersecurity experts to assess your current logging coverage, identify gaps against MAS TRM and PDPA requirements, and build a programme that protects you before the next incident.