The revised technical risk management guidelines include financial institutional directives to use “strong oversight” of arrangements with third-party service providers to ensure data confidentiality and accountability of senior management.
Singapore has updated its set of guidelines on technical risk management for financial institutions to include, among other things, “strong oversight” of their partnerships with third-party service providers to ensure confidential information.
The updated list also contains updated security management guidance and pressure testing and the appointment of third-party vendors and senior IT executives.
In more detail under the Technology Risk Management Guidelines, these updates have been made to keep pace with emerging technologies and changing current threats, the Monetary Authority of Singapore (MAS) said in a statement on Monday.
Recognizing that financial institutions are increasingly influencing cloud technology and APIs (systems implementation), the legal sector has emphasized the need to install security controls and risk reduction strategies as part of these organizations’ technological advances and life cycle.
“The emergence of a recent cyber attack on procurement chains, targeted at many IT service providers through the exploitation of widely used network software, clearly shows that the cyber vulnerability situation is getting worse,” he added.
Use of third-party service providers, for example, maybe provided through IT and may include confidential customer information stored by the service provider. Any system failure in violating the security of providers may have a detrimental effect on financial institutions and customers.
The guidelines emphasized the need to evaluate and manage company exposure to technical risks that could affect the privacy and availability of IT systems and data from a third-party service provider, before the establishment of an agreement or partnership.
Financial institutions should also ensure, on an ongoing basis, that the third party adopts the “highest level of care and encouragement” in protecting data privacy and integrity and the strengthening of the system.
Also, financial institutions must establish mechanisms that will enable “timely analysis and sharing” of cyber-threatening intelligence within the sector and conduct pressure tests to protect their cybersecurity, through the simulation of real-time tactics and attacks.
Strong supervision should also extend to human capabilities, including contractors and service providers, where financial institutions must ensure that all employees have the necessary skills to perform the required IT tasks and manage technical risks.
This should include the appointment of a CIO or CISO and the board of the financial institution should have members with the necessary information to provide “effective technical management and cyber risks”, MAS said.
MAS cybersecurity chief executive Tan Yeow Seng said: “Technology is now heavily supportive of many areas of financial services.
Not only are financial institutions adopting new technologies, and they are relying more on third-party service providers. and financial security risks to financial institutions. “