What Should An Organisation Look Out for in Third Party Management?

Over the years, data security has become a top priority for many organisations and with good reason. Since the adoption of complex IT environments and widespread use of cloud services, the number of successful breaches has risen dramatically. The sophisticated nature of today’s cybercriminals is also seen as a major factor.

The good news? Most security breaches are preventable. While the goals and challenges vary from one organisation to another, many organisations are finding ways to strengthen their current data protection system and practices. For instance, in Singapore, they have the Personal Data Protection Act or PDPA guidelines.

Knowledge of the PDPA guidelines has helped many organisations avoid reputation damage and large fines. Ideally, it is also recommended to have conversations with business stakeholders and IT to have a clear understanding of the long and short-term objectives of the organisation. 

Also, as businesses in Asia continue to digitalise and transform, more malicious actors have been hacking systems and stealing and gathering data. On the 18th of January 2021, the Monetary Authority of Singapore (MAS) introduced new rules for all those in the fintech industry and financial institutions.

MAS stated that while financial institutions have adopted  new technologies, they have also become increasingly reliant on third-party service providers. Undoubtedly, an external vendor can procure third-party tools that can cause significant risk to banking systems. Weaknesses can also arise from engaging with third parties.

The gap can arise from the following:

  • Awareness of risks and data protection regulatory requirements that involve personal data
  • Communication and translation of requirements in the scope of contract
  • Adequacy in contract specifications
  • Third parties may procure or subcontract solutions where the specifications and requirements can get lost in translation
  • Selecting the right service provider based on their strengths 
  • Managing the vendors which involve controls and risk assessment on the vendors

In short, the importance of third party management cannot be overstated. Often, when vendors work under the constraints of tight deadlines and limited resources, the vendor can overlook the info-security of the third party tools that are used. There is also the possibility of “over providing” a few of the features that pose as data protection risks.

Businesses are now operating in a world that’s increasingly interconnected and they are sharing access and sensitive data to third parties now more than before. While this makes many processes a lot easier, it also increases the levels of risk that originate from third parties.

The new Technology Risk Management (TRM) guidelines include:

  1. Screening of component suppliers is now spelt out clearly and now covers a wide range of topics to help organisations avoid and recover from system failures and cyber attacks.
  2. Financial services firms are required to vet entities that access their APIs (application programming interfaces) just by looking at the nature of the business, the industry reputation, as well as the track record.
  3. Senior management and the Board of Directors in financial institutions must vet and approve key cybersecurity appointments and key technologies.

It is then recommended to have capabilities at hand that can help organisations consistently manage and monitor third party performance and risks. Since the organisation is accountable for the data it holds, it needs to be able to effectively identify and assess risks and conduct compliance assessments that relate to data protection.

Privacy and security are not interchangeable and app developers are required to know the differences when developing the app. The Certified Information Privacy Technologist certification provided by the IAPP (International Association of Privacy Professionals) is a great foundational course for technology professionals.

Leave comment

Your email address will not be published. Required fields are marked with *.