4 Third-Party Risk Management Trends in Singapore
Third parties are a staple of modern business, letting companies embrace digital transformation, expand into far-flung markets and do more than ever before. But managing those third-parties for risk? That remains a major challenge for companies the world over.
Recently, the Opus team met with Singapore compliance leaders at a special event focused on managing third-party risk in-line with GDPR. Throughout our discussion, it became clear that collaboration with like-minded colleagues is a powerful tool, and one that many compliance professionals are eager to see more of. Together, the risk and compliance community can find positive ways forward to address today’s companies’ biggest concerns.
Nascent data privacy regulations are putting the pressure on those in Singapore’s risk and compliance industry. Singapore has the steepest possible fines in Asia for a lapse in data security, with up to $1 million in potential fines. Several companies have already been penalized for third-party data breaches.
Companies are hungry for compliance solutions, and many of the topics we discussed resonated with the concerns of companies around the world. Here are our key takeaways.
1. Growing into the new norm of third-party risk management
Many financial institutions and companies in Singapore are still in the early stages of setting up third-party risk management programs, as regulation in the region is still quite new.
As companies learn how to comply with these requirements themselves, they face the added challenge of having to educate their third-party vendors on the intricacies of compliance. Singapore businesses find it difficult to validate supplier statements about their information security, but they need to be able to confirm the strength of their programs to demonstrate compliance to regulators.
For example, the Monetary Authority of Singapore (MAS) has issued comprehensive guidelines on outsourcing for financial service companies. Further, the Personal Data Protection Act (PDPA) has put greater focus on cybersecurity in Singapore and the need for managing third-party infosec risk. Data breaches are a number one concern for many reasons, not least of which is increasing enforcements by the Personal Data Protection Commission (PDPC).
Communication between suppliers and customers is less mature in Singapore than in other geographies, and that is the root of the problem. Third parties are simply not used to complying, but as third-party risk management programs get up and running, communication can improve as new processes are put in place.
2. Improving regulatory reporting
Because of great information security risks, Singapore compliance pros want to make sure they get reporting right. MAS requires that regulators maintain a register of their outsourcing arrangements, which must be submitted annually or on request.
Generating this report takes outsize effort, as it’s often completed manually. Yet it’s a crucial vehicle for demonstrating compliance, and one that companies are eager to complete well. It demonstrates to regulators that they have third-party risk management processes in place, and are actively working to reduce risk.
Going forward, automated compliance tools will help Singapore businesses generate reports like this one much more efficiently, improving overall monitoring while meeting regulators’ demands.
3. Taking a controls driven approach to third-party information security
We believe that adopting a set of controls is critical to the success of a third-party risk management program. For managing infosec risk in particular, we’ve seen that ISO 27001/27002 and the NIST Framework are the most widely accepted standards. Globally, NIST tends to be the most popular framework, while in Singapore compliance and risk professionals favor ISO 27001/27002.
Standards like these give companies a robust way to judge information security risk. If you follow them well, your company will be on track with the best guidance that exists. These standards, however, don’t replace local regulations. The broader standards’ guidance needs to be adapted or enhanced to meet local requirements.
4. Tackling regulatory requirements, both global and local
If at first it seemed like GDPR would only affect companies in the European Union, fewer and fewer still stand by that thought. The compliance professionals we spoke to in Singapore feel strongly that they are subject to GDPR. It’s a sign that companies around the world are aware of the reach of this prominent regulation. The result is that companies are stepping up their compliance efforts, both to be in line with local regulations, like the Personal Data Protection Act (PDPA) in Singapore, and with ones enacted in other regions. It’s a complex web that entangles companies wherever they base their operations.
The outcome of our Singapore event was positive. As the global community looks for answers to keep customers safe, protect their reputations and comply with regulatory expectations, gatherings like this one are helping put the pieces together for a more secure world.