Mandatory Cyber Hygiene for Digital Token Service Providers (DTSPs)in Singapore

The Monetary Authority of Singapore (MAS) has issued Notice FSM-N31on Cyber Hygiene effective 30th June, 2025. It mandates all licensed Digital Token Service Providers (DTSPs) to adopt robust cyber hygiene measures.
This notice applies to all DTSPs licensed under Section 138 of the Financial Services and Markets Act, 2022 (FSM Act) and is aimed at safeguarding critical systems, administrative accounts and customer data against cyber threats.
Whom does DTSPs apply to?
It applies to every DTSPs licensed under the FSM Act. An exception to compliance applies only where a DTSP is unable to exercise direct or indirect control over a system to comply with the requirements of this notice and it is not reasonably practicable to engage an alternative provider over whom such control can be exercised. In such cases, the DTSP is exempt from the relevant requirement to that extent.
What the DTSPs need to do?
The notice lays down certain cyber hygiene practices that DTSPs should follow:
- Secure Administrative Account: Secure all accounts with full privileges and un-restricted access to an OS, application, database, security appliance etc. by using practical measures like strong password policies, multi-factor authentication etc. Put safeguards in place to prevent any unauthorised access or misuse.
- Apply Security patches: Use security patches to fix vulnerabilities promptly (based on the risk level). If no patch exists, implement interim controls to manage the risk.
- Set & Enforce Security Standards: Prepare and implement a written set of security standards for every system you use. Ensure all systems comply with those standards or apply compensating measures where compliance isn’t possible.
- Strengthen Network Perimeter Defences: Since unauthorised access to essential data is serious threat, DTSPs must-
- Use firewalls, filters, and intrusion detection to block unauthorised traffic.
- Regularly review and tighten perimeter rules.
- Deploy Malware Protection
It is very crucial to have a defence mechanism to protect systems from malware infection. DTSPs must install and update anti-malware solutions across all systems.
Key compliance takeaways for DTSPs
The MAS Notice on Cyber Hygiene marks a pivotal step in strengthening Singapore’s digital financial ecosystem. For DTSPs, this is not just another compliance checkbox, it is an essential framework for building trust, protecting customer data and ensuring operational resilience.
The notice sets out the following key compliance considerations:
- Prioritise critical systems
- Harden administrative accounts
- Apply security patches promptly
- Enforce written security standards
- Defend network perimeter
- Maintain effective malware protection
By adopting these, DTSPs not only ensure regulatory compliance but also fortify their reputation as secure, responsible and future-ready players in the digital token space.
Stay Ahead with Komrisk
Komrisk, Lexplosion’s compliance management solution, not only assists organizations in adhering to mandatory regulations like MAS’s Cyber Hygiene Notice but also offers the flexibility to upload internal compliance checklists directly into the platform. This ensures a unified approach to compliance, empowering businesses to seamlessly monitor and manage both external obligations and internal standards.
With Komrisk, organizations can proactively identify potential vulnerabilities, streamline compliance processes and foster a culture of continuous improvement. Incorporating tools like Komrisk into your compliance strategy isn’t just about meeting regulatory requirements, it’s about building a resilient, secure and trustworthy digital ecosystem for your business.
Authored by: Swapna Umakanth
Disclaimer
The information provided on this blog is for general informational purposes only and is not a substitute for professional legal advice. We are not a law firm and are not authorized to practice law in your jurisdiction. Laws and regulations are complex and constantly changing, and information that may be true in one jurisdiction may not apply in another. Before acting on any information you read here, you should consult with a qualified lawyer practicing in the relevant jurisdiction for your specific legal issues or concerns. While we strive to provide accurate and up-to-date information, we make no guarantees that the information on this blog is completely current or error-free. We disclaim any liability for any actions taken or not taken based on the information on this blog.