MAS Update: Managing Risks from Third-Party Arrangements
- Calvin Chong
- Aug 19
- 3 min read
Introduction
The Monetary Authority of Singapore (“MAS”) has recently published a circular to guide Financial Institutions (“FIs”) on managing technology and cyber risks arising from third-party service providers (“TPSPs”), especially in the light of recent ransomware incidents involving TPSPs like Toppan Next Tech and DataPost.
MAS Expectations
Despite outsourcing certain functions to TPSPs, the FIs remain responsible for safeguarding customer data and must maintain robust incident response capabilities. This includes implementing strong business continuity measures to reduce the impact of IT-related disruptions originating from TPSPs. In this article, we have summarised the key expectations on FIs relating to the below focus areas.
Area of Focus | MAS Expectations on FIs |
Technology & Cyber Risk Evaluation | FIs shall conduct periodic assessments of TPSPs focusing at minimum on the scope, complexity, risk management capabilities, and impact on FIs’ risk profile, insights which are also valuable for gap analysis. FIs must ensure the identified gaps are effectively and promptly addressed by the TPSPs, in accordance with the approved risk appetite. If not, FIs shall consider terminating the service or exploring alternative measures to appropriately mitigate the risks. FIs shall understand if there is any subcontractor involvement and the capabilities of TPSPs to continuously oversee and manage significant risks associated with such subcontractors. |
Contractual Provisions | FIs shall ensure that contracts clearly outline TPSPs’ responsibilities during incidents, require prompt notification of disruptions or breaches to the FIs, and mandate timely responses to MAS inquiries. |
Security & Confidentiality | FIs shall ensure that TPSPs’ systems meet MAS Notice on Cyber Hygiene requirements and conduct independent security reviews (i.e., audits, penetration tests). FIs shall establish protocols in accordance with MAS Notice on Technology Risk Management to protect customer data processed through the TPSP’s systems, including secure data destruction post-contract. |
Incident Response & Remediation | During cyber incidents at TPSPs, FIs shall suspend further data transfers, revoke TPSPs’ access and isolate the networks from the TPSP. During data breaches at TPSPs, FIs shall promptly determine whether any customer data has been compromised and take proactive measures to mitigate risks to affected customers. During service disruptions at TPSPs, FIs shall closely monitor the TPSPs’ recovery efforts to ensure services are restored to agreed standards and identified issues are addressed. |
Business Continuity Management (“BCM”) | FIs shall develop BCM plans for disruptions at TPSPs, which includes establishing clear strategies for customer communication and ensuring reliable contingency plans are in place should the TPSPs are unable to continue delivering their services. As a contingency measure, FIs shall either appoint an alternative TPSP or develop in-house capabilities to perform the service after confirming that the associated technology and cyber risks align with the approved risk appetite. |
Summary
In brief, this paper outlines the expectations from the MAS which includes conducting thorough risk evaluations, enforcing robust contractual provisions and ensuring TPSPs meet cybersecurity standards. FIs must also implement effective incident response and business continuity plans, monitor TPSP remediation efforts and assess the viability of ongoing service arrangements.
This guidance builds on existing MAS Notices and aims to ensure FIs maintain resilience and safeguard customer data throughout their third-party arrangement.
How We Can Help
As a compliance solutions advisor and funds specialist, we provide specialized solutions in accordance with MAS observations and recommendations to help your institution meet these regulatory requirements, from understanding of your organization and the third-party arrangements, to identifying and addressing the operational and regulatory gap. Feel free to reach out to us for non-obligatory discussion.
Comments