Mitigating Third-Party Risks in Singapore’s Financial Ecosystem

A Report by CYS Global Remit FinTech Development Unit   

The recent ransomware attack on Toppan Next Tech (TNT), affecting customers of DBS Bank and the Bank of China, has brought to light a crucial issue: third-party service providers are becoming significant points of vulnerability within Singapore’s financial ecosystem. 

This incident has prompted increased scrutiny from regulatory authorities, with the Monetary Authority of Singapore (MAS) and the Cyber Security Agency of Singapore (CSA) emphasizing the urgent necessity for robust cybersecurity governance throughout the financial services supply chain. 

Rising Cyber Threats Reveal Third-Party Vulnerabilities in Singapore's Financial Sector 

Scope of Data Exposure Following the Ransomware Breach 

The ransomware attack, reported to the Personal Data Protection Commission on April 6, 2025, initiated an immediate response from both CSA and MAS. The breach, which targeted TNT—a vendor responsible for printing confidential communications—resulted in the potential exposure of personal data for thousands of customers at the affected banks. 

Regulatory Response and Enhanced Vendor Oversight 

In light of this breach, MAS has reiterated that financial institutions must enforce stringent oversight of their third-party vendors and ensure these partners have comprehensive cybersecurity protocols in place. Regular audits and control assessments have transitioned from best practices to mandatory requirements. 

CSA has adopted a proactive approach by encouraging vendors to attain national cybersecurity certifications, such as the Cyber Essentials and Cyber Trust marks. These credentials reflect an organization’s maturity and readiness in cybersecurity. 

Towards a Secure Financial Supply Chain: National Incentives and Future Regulations 

To assist vendors—especially small and medium-sized enterprises (SMEs)—in meeting elevated security standards, CSA has launched co-funding initiatives like the CISO as-a-Service program, which subsidizes up to 70% of costs associated with cybersecurity leadership and infrastructure improvements. 

Furthermore, CSA is exploring the possibility of mandating that vendors secure certification before being allowed to participate in contracts that involve access to sensitive government or financial systems. 

Closing the Gaps in Cybersecurity 

Although Singapore’s financial sector is celebrated for its robust regulatory framework and digital infrastructure, the TNT ransomware incident serves as a stark reminder that cybersecurity is only as strong as its weakest link. As cyber attackers continue to exploit indirect access points through vendors, a more comprehensive and collaborative strategy for supply chain security is essential. 

By proactively aligning with MAS and CSA’s guidance on third-party risk management and obtaining certifications like Cyber Essentials or Cyber Trust, organizations can significantly enhance their operational resilience. These actions not only protect customer data but also demonstrate a commitment to compliance and cybersecurity best practices—crucial elements for establishing trust in cross-border financial services. 

As regulatory scrutiny escalates across the ecosystem, taking proactive measures to secure vendor relationships will position us as a responsible and forward-looking remittance provider in the region. 

Source:  

Singapore Mulls Cybersecurity Certification for Financial Institutions’ Vendors - Fintech Singapore