What should an organisation look out for in third party management? The case of MAS' concern.

As businesses continue to transform and digitalise in Asia and globally, the incentive for malicious actors to hack into these systems, steal and gather data grows in tandem. Earlier this week on the 18th January 2021, the Monetary Authority of Singapore (MAS) announced new rules for all financial institutions and those in the fintech industry in Singapore after SolarWinds cyber-attack exposes firms around the world.

MAS said that financial institutions are increasingly reliant on third-party service providers as they adopt new technologies. Using an external third-party vendor which may procure third-party tools brings significant third-party risks to banking systems. 

Weaknesses may arise during the engagement of the third-party vendors. The gap could be from:

• Awareness of data protection regulatory requirements and risks when personal data are involved
• Translation and communication of requirements in the scope of contract 
• adequacy in contract specifications to enforce and control of specifications
• Third-party may further procure or subcontract solutions in which the requirements- specifications may be “lost in translation”.
• Selecting the right service provider according to their strengths
• Managing the vendors, which include risk assessment and controls on the vendors.

In short, third party management is important, from the organisations being able to accurately specify the requirements, to identifying vendors that are strong in those areas and to work with the strengths of their vendors.  Often when vendors are working under the constraints of limited resources and tight deadlines, the vendor may overlook the info-security of the third party tools in the development of apps.  They may “over-provide” some of the features that pose as data protection risks. This is a form of vendor risk that the organisation needs to be mindful of

"Unknown third-party suppliers are what MAS is most worried about... Financial institutions that do not allocate sufficient financial resources may be more open to unknown third-party suppliers."

The revised Technology Risk Management (TRM) guidelines include:

1. The screening of component suppliers is now clearly spelt out, it covers a wide range of topics to help firms in the finance industry fob off and recover from cyber attacks and system failures, although due diligence on technology vendors was already a must.
2. Financial services firms must vet entities that access their application programming interfaces (APIs) by looking at the nature of their business, cyber security posture, industry reputation and track record as well as secure the development of the APIs and encrypt sensitive data transmitted to prevent leaks or hackers injecting malicious codes.
3. The board of directors and senior management in financial institutions must vet and approve key technology and cyber-security appointments.

The revision took in feedback from a public consultation in 2019 and other expert engagements.

The guidelines elaborate on the mandatory requirements set out in the MAS TRM notice, with a fine of up to $100,000 for non-compliance under the Banking Act. In the case of a continuing offence, a further fine of up to $10,000 daily may be levied.

Businesses now operate in an increasingly interconnected world, sharing sensitive data and access with third parties. This makes many processes easier, but also increases the levels of risk originating from third parties. It is imperative to have capabilities at hand to continuously monitor and manage third-party compliance, risk and performance.  The organisation, being accountable for the protection of the data it holds, will need to be able to identify and assess risks, manage the contract and conduct compliance assessments as part of complying with the Personal Data Protection Act (PDPA).  In this regard, the team in the financial institutions will need to maintain their knowledge and upskill with the latest development.

Security and privacy are not quite interchangeable and app developers (whether in-house or outsourced), need to know the differences when developing the app. The Certified Information Privacy Technologist certification by the IAPP (International Association of Privacy Professionals) is a good foundational course on privacy for technology professionals, especially as it works through the lifecycle of personal information - its collection, use, disclosure and storage. In Singapore, the course is run by the Data Protection Excellence (DPEX) Network and course information can be found here (please include the course info in the link ‘here’).

It’s time to mitigate data privacy risks and with work-from-home becoming prevalent, there’s no better time than to start now with a new course!

For more information on course details, do write to us at courses@straitsinteractive.com or call us at 6920 5462 / 6815 8010.

Click here for learning and development in risk management and for third party management.

By Lee Wen Xin, DPEXNetwork Community Development Executive
Edited by Leong Wai Chong, CIPM, GRCP

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.