As businesses continue to transform and digitalise in Asia and globally, the incentive for malicious actors to hack into these systems, steal and gather data grows in tandem. Earlier this week on the 18th January 2021, the Monetary Authority of Singapore (MAS) announced new rules for all financial institutions and those in the fintech industry in Singapore after SolarWinds cyber-attack exposes firms around the world.
MAS said that financial institutions are increasingly reliant on third-party service providers as they adopt new technologies. Using an external vendor which may procure third-party tools brings significant risks to banking systems.
Weaknesses may arise during the engagement of the third party. The gap could be from:
In short, third party management is important, from the organisations being able to accurately specify the requirements, to identifying vendors that are strong in those areas and to work with the strengths of their vendors. Often when vendors are working under the constraints of limited resources and tight deadlines, the vendor may overlook the info-security of the third party tools in the development of apps. They may “over-provide” some of the features that pose as data protection risks.
"Unknown third-party suppliers are what MAS is most worried about... Financial institutions that do not allocate sufficient financial resources may be more open to unknown third-party suppliers."
The revised Technology Risk Management (TRM) guidelines include:
The revision took in feedback from a public consultation in 2019 and other expert engagements.
The guidelines elaborate on the mandatory requirements set out in the MAS TRM notice, with a fine of up to $100,000 for non-compliance under the Banking Act. In the case of a continuing offence, a further fine of up to $10,000 daily may be levied.
Businesses now operate in an increasingly interconnected world, sharing sensitive data and access with third parties. This makes many processes easier, but also increases the levels of risk originating from third parties. It is imperative to have capabilities at hand to continuously monitor and manage third party risk and performance. The organisation, being accountable for the protection of the data it holds, will need to be able to identify and assess risks, manage the contract and conduct compliance assessments relating to data protection. In this regard, the team in the financial institutions will need to maintain their knowledge and upskill with the latest development.
Security and privacy are not quite interchangeable and app developers (whether in-house or outsourced), need to know the differences when developing the app. The Certified Information Privacy Technologist certification by the IAPP (International Association of Privacy Professionals) is a good foundational course on privacy for technology professionals, especially as it works through the lifecycle of personal information - its collection, use, disclosure and storage. In Singapore, the course is run by the Data Protection Excellence (DPEX) Network and course information can be found here (please include the course info in the link ‘here’).
It’s time to mitigate data privacy risks and with work-from-home becoming prevalent, there’s no better time than to start now with a new course!
For more information on course details, do write to us at firstname.lastname@example.org or call us at 6920 5462 / 6815 8010.
By Lee Wen Xin, DPEXNetwork Community Development Executive
Edited by Leong Wai Chong, CIPM, GRCP
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region
The Info-comm Media Development Authority of Singapore (IMDA) launched the Data…
Every day we are confronted with information on companies that allegedly did th…
It cannot be reiterated enough: personal information is property that belongs t…