MAS Outsourcing Guidelines - What CISO Should Know in 2024 ?

11th December 2024.

 

That’s the grace period the Monetary Authority of Singapore (MAS) has allowed before its new Notices on Outsourcing (658 and 1121) takes effect. Announced on 11th December 2023, the 12-month grace period also repeals the Outsourcing guidelines outlined in Notices 634 and 1108.

 

This means even if your organization was compliant with Notices 634 and 1108 last updated in 2018, you still have work to do. You’re probably here because you know that. So without much ado, in this article, I’ll:

 

• Highlight who the latest MAS Outsourcing guidelines apply to
• Discuss the key areas in the new MAS Outsourcing guidelines
• Show you how to automate parts of the process of becoming (and staying) compliant with MAS’ updated regulations.

 

Who the Latest MAS Outsourcing Guidelines Apply to

 

According to the regulator’s official statements, Notices 658 and 1121 spells out compliance requirements for banks and merchant banks outsourcing relevant services to third-parties, respectively.

 

As illustrated below:

 

 

Both outsourcing guideline Notices are issued pursuant to section 47A(2), (4), (6), (7) and (12), as applied by section 55ZJ(1), of the Singaporean Banking Act 1970 (the “Act”) and applies to all banks and merchant banks.

 

The stated information confirms who the new MAS Outsourcing guidelines apply to: Banks and merchant banks. However, the responsibility of becoming compliant rests on the senior management, CISOs, and executives at such financial institutions (FIs).

 

You’ll see that as we proceed.

 

But before we proceed:

 

 

Key Areas in the New MAS Outsourcing Guidelines

 

Although there are dozens of requirements, key areas FIs must adhere to, to become compliant with the new MAS Outsourcing guidelines are:

 

• Having a register of all outsourced service providers
• Third-party risk governance and management oversight
• Ongoing evaluation of 3rd (and 4th) party vendors
• Continuous independent audits of third-parties

 

Register of All Outsourced Relevant Services

 

Under this requirement, MAS mandates all banks and merchant banks to have and keep a register that comprehensively records all:

 

 

More importantly, the regulator requires all FIs to update the register promptly and submit the same to the Authority semi-annually and at any time it is requested.

 

You can have and keep an updated register of outsourced relevant services like the one required by MAS through the good ol’ spreadsheet. But this will take a lot of manual data entry and maintenance efforts. A more optimal way is to leverage Cyber Sierra’s third-party risk management suite:

 

 

With our platform, an updated inventory of all third-party vendors and service providers are kept automatically. As shown above, you also get a database for your security team to quickly search and track how critical vendors perform relative to outlined MAS cybersecurity guidelines.

 

Third-Party Risk Governance & Management Oversight

 

In the new Outsourcing guidelines, MAS requires the implementation of an appropriate third-party risk management governance framework. They also require FIs to have an executive team to provide oversight of the same.

 

Two critical must-dos are:

 

 

To comply with these requirements, you can create a custom third-party risk management governance framework. A better option that helps in streamlining the compliance process is to adopt and customize globally-accepted governance frameworks like SOC and NIST.

 

Cyber Sierra helps with that:

 

 

Our platform is pre-built with customizable versions of the SOC and NIST governance frameworks used to assess 3rd parties worldwide. You also get a single pane to invite all stakeholders needed to collaborate, customize, and oversee any of the governance frameworks your team implements.

 

Ongoing evaluation of 3rd (and 4th) party vendors

 

In the updated Outsourcing guidelines, MAS requires FIs to properly evaluate third-parties before and after engaging them. The financial regulator also requires due diligence extended to the subcontractors (fourth-parties) a 3rd party service provider is working with.

 

This due diligence checks should be ongoing:

 

 

To become compliant with the ongoing evaluation of third-and fourth-parties, MAS expects third-parties working with FIs to provide evidence of meeting designated security assessment requirements.

 

Specifically, the expect that:

 

 

You can automate processes involved in collecting such evidence documents with Cyber Sierra. For instance, you can request and have third-parties upload required security assessment evidence from one pane.

 

Our platform also auto-verifies each uploaded evidence:

 

 

The ability to automate crucial third-party risk management processes like this is why financial institutions trust Cyber Sierra. Take one global bank based in Singapore:

 

 

Continuous Independent Audits of Third-Parties

 

The compliance requirements here is straightforward:

 

 

Working with independent auditors has many benefits. One is giving external, more experienced eyes a chance to assess 3rd parties that pose risks and can stop your company from becoming compliant. But because MAS requires that this is done on an ongoing basis, there’s a need to streamline the process for everyone.

 

For instance, you can give auditors a central place where they can search, easily review, and identify third-parties with unsatisfactory security measures in place.

 

Again, you can do this with Cyber Sierra:

 

 

Take the MAS Outsourcing Notices Seriously

 

Singapore’s threat landscape is always evolving.

 

To stay one step ahead, Notice 658 and Notice 1121 sets out updated measures necessary for protecting financial institutions from threat actors increasingly trying to strike through outsourced services. By taking the new MAS Outsourcing guidelines seriously and complying with them, you bolster your organization’s cyber resilience.

 

Another reason to take this seriously is the allowed grace period. MAS expects all financial institutions to become compliant with all new requirements before 11th December 2024. Depending on when you read this, that’s just a few months away.

 

To facilitate the process for your team, consider streamlining and automating the crucial parts of becoming (and staying) compliant. Of course, this is where a platform like Cyber Sierra comes in: