SINGAPORE: Oct 14 was an otherwise ordinary Saturday afternoon until many in Singapore found themselves unable to shop, buy food, pay for public transport, or carry out many of their usual weekend activities. DBS and Citibank customers discovered that they could not withdraw cash from automated teller machines (ATMs) nor transfer money via online or digital banking.
Although the outage struck the two banks, customers of other banks also themselves unable to transact because many businesses also rely on DBS and Citi payment terminals. Around 2.5 million payment and ATM transactions could not be completed. The banks were only able to fully restore services more than 12 hours later, the next day. Â
DBS PayLah! and digibank services were disrupted for hours in March earlier this year, and similarly for two days in November 2021. Citi, OCBC and UOB also suffered disruptions between July 2021 and July 2022. However, the problems were solved by the end of the day, and news cycles and attention spans are short.
Even this incident will be forgotten – at least until the next time. But one fact from this latest outage that should worry us is that two banks went offline because of a technical failure in one data centre.
It shows the vulnerability of the modern technology supply chain, that critical infrastructure can fail due to simple human error by a service provider outside of the regulator’s oversight.
Some may recall power outages that caused disruptions for hours on three MRT lines in 2020. More than a hundred thousand homes and businesses all over Singapore suffered brief blackouts in 2018. Â
Life quickly returned to normal but these are a warning of what could happen if we were ever hit by an intentional attack on our systems, or a combination of unintended accidents.Â
THREAT OF INTENTIONAL ATTACKS
A cyberattack on our power supply that caused extended blackouts would bring businesses, schools, and daily life to a halt. Food supplies would be threatened by the failure of refrigeration units. A coordinated cyberattack that disrupted multiple banks systems for days, combined with hostile information campaigns to create panic, could cause a run on the banks – even a financial crisis.
Especially with hacking tools proliferating in the unstable geopolitical situation, these scenarios cannot be ruled out. As my colleague Michael Raska has written, Hamas’ surprise Oct 7 attack on Israel shows the risks of assuming that military-technological superiority will always protect us.Â
Related:
Commentary: When digital banking fails, a tucked-away S$10 wins the day
Commentary: What the rise of digital banks means for Singapore's seniors
One response is to call for more regulation, tighter requirements for systems and stricter penalties for failure. The Monetary Authority of Singapore (MAS) already requires banks to ensure that mission critical systems and services can recover quickly from system disruptions, with no more than four hours of unscheduled downtime within a 12-month period. Consequently, MAS has ordered a thorough investigation into the recent outage.
On Nov 1, MAS announced it had barred DBS from any acquisitions of new business ventures for six months and ordered it to pause non-essential IT changes which could cause further disruption. The regulator had already imposed additional capital requirements on Singapore’s largest bank because of previous disruptions.
Such actions help protect customers, but also illustrate that regulation alone can only do so much, because the disruptions keep on coming. Even the regulator acknowledges that disruptions could still occur while the bank’s systems are being made more resilient.
Another response is to call for more resilient systems. Experts have shared several ways that banks and other businesses can do so, and enterprises should pay attention.
MAS has directed DBS not to reduce its branch and ATM networks so that customers have alternative ways to get cash. Enterprises also need to explore if their backup systems also have backup systems, and if they are all interconnected in ways that make them vulnerable to a single point of failure.Â
Related:
Commentary: Are we ready for a cashless Singapore? Lessons from DBS' digital banking outage
Commentary: Forget digital banks – many still prefer the trip to the branch
Technology resilience and cyber resilience (the ability to bounce back after a technology failure or cybersecurity incident respectively) are costly because they require measures like back-ups, buffers, redundant systems, and multi-sourcing.
In the case of critical infrastructure and essential services, these are necessary costs, because issues will still arise despite everyone’s best efforts. More positively, resilience enables business to continue, reduces losses, protects customers and trust, and can be a competitive advantage.Â
On a more personal scale, the most vulnerable entities are small businesses and individuals that have no choice but to rely on larger systems for transactions, payment, or data storage, or who cannot afford to set up redundant systems. Â
IMPORTANCE OF SOCIAL RESILIENCE
As many of us experienced on Oct 14, you could have diversified cashless payments across GrabPay and Google Pay but still be hit if you needed your DBS account to top up the wallets. You could have diversified your credit cards across UOB and OCBC, but if the petrol stations were using Citi payment systems, you still could not buy fuel. Â
The entire NETS system of cashless payments, used by all major banks in Singapore, could fail, as it did on Nov 3 during the peak lunch hours.