As businesses continue to transform and digitalise in Asia and globally, the incentive for malicious actors to hack into these systems, steal and gather data grows in tandem. Earlier this week on the 18th January 2021, the Monetary Authority of Singapore (MAS) announced new rules for all financial institutions and those in the fintech industry in Singapore after SolarWinds cyber-attack exposes firms around the world.
MAS said that financial institutions are increasingly reliant on third-party service providers as they adopt new technologies. Using an external third-party vendor which may procure third-party tools brings significant third-party risks to banking systems.
Weaknesses may arise during the engagement of the third-party vendors. The gap could be from:
In short, third party management is important, from the organisations being able to accurately specify the requirements, to identifying vendors that are strong in those areas and to work with the strengths of their vendors. Often when vendors are working under the constraints of limited resources and tight deadlines, the vendor may overlook the info-security of the third party tools in the development of apps. They may “over-provide” some of the features that pose as data protection risks. This is a form of vendor risk that the organisation needs to be mindful of
"Unknown third-party suppliers are what MAS is most worried about... Financial institutions that do not allocate sufficient financial resources may be more open to unknown third-party suppliers."
The revised Technology Risk Management (TRM) guidelines include:
The revision took in feedback from a public consultation in 2019 and other expert engagements.
The guidelines elaborate on the mandatory requirements set out in the MAS TRM notice, with a fine of up to $100,000 for non-compliance under the Banking Act. In the case of a continuing offence, a further fine of up to $10,000 daily may be levied.
Businesses now operate in an increasingly interconnected world, sharing sensitive data and access with third parties. This makes many processes easier, but also increases the levels of risk originating from third parties. It is imperative to have capabilities at hand to continuously monitor and manage third-party compliance, risk and performance. The organisation, being accountable for the protection of the data it holds, will need to be able to identify and assess risks, manage the contract and conduct compliance assessments as part of complying with the Personal Data Protection Act (PDPA). In this regard, the team in the financial institutions will need to maintain their knowledge and upskill with the latest development.
Security and privacy are not quite interchangeable and app developers (whether in-house or outsourced), need to know the differences when developing the app. The Certified Information Privacy Technologist certification by the IAPP (International Association of Privacy Professionals) is a good foundational course on privacy for technology professionals, especially as it works through the lifecycle of personal information - its collection, use, disclosure and storage. In Singapore, the course is run by the Data Protection Excellence (DPEX) Network and course information can be found here (please include the course info in the link ‘here’).
It’s time to mitigate data privacy risks and with work-from-home becoming prevalent, there’s no better time than to start now with a new course!
For more information on course details, do write to us at courses@straitsinteractive.com or call us at 6920 5462 / 6815 8010.
Click here for learning and development in risk management and for third party management.
By Lee Wen Xin, DPEXNetwork Community Development Executive
Edited by Leong Wai Chong, CIPM, GRCP
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.
Get access to news, enforcement cases, events, and actionable tips and guides
Get regular email updates and offers
Job opportunities, mentorship and career guidance
Exclusive access to Data Protection community - ask questions, network and share knowledge with peers and experts via WhatsApp and Linkedin
DPEX Network is a Community Initiative of Straits Interactive.
Copyright © Straits Interactive Pte Ltd. All Rights Reserved.
All intellectual property rights to logos and brands featured on this website remain the property of their respective owners.