What should an organisation look out for in third party management? The case of MAS' concern
Updated: Mar 28, 2021
By Lee Wen Xin, DPEXNetwork Community Development Executive
Edited by Leong Wai Chong, CIPM, GRCP
As businesses continue to transform and digitalise in Asia and globally, the incentive for malicious actors to hack into these systems, steal and gather data grows in tandem. Earlier this week on the 18th January 2021, the Monetary Authority of Singapore (MAS) announced new rules for all financial institutions and those in the fintech industry in Singapore after SolarWinds cyber-attack exposes firms around the world.
MAS said that financial institutions are increasingly reliant on third-party service providers as they adopt new technologies. Using an external vendor which may procure third-party tools brings significant risks to banking systems.
Weaknesses may arise during the engagement of the third party. The gap could be from:
Awareness of data protection regulatory requirements and risks when personal data are involved
Translation and communication of requirements in the scope of contract
adequacy in contract specifications to enforce and control of specifications
Third-party may further procure or subcontract solutions in which the requirements- specifications may be “lost in translation”.
Selecting the right service provider according to their strengths
Managing the vendors, which include risk assessment and controls on the vendors.