Vendor Risk Management for Startups
Comprehensive guide to vendor risk management for startups: Learn how to evaluate non-SOC 2 compliant vendors, implement compensating controls, and make informed security decisions.
AI Trailblazer AwardWinner, Smart Nation Singapore & Google
MAS Notices 658 and 1121, Singapore’s binding MAS TPRM guidelines for banks and merchant banks, have been fully in effect since 11 December 2024. If your organisation spent 2024 racing to comply, you’re not done. You’re at the start of what MAS is building toward.
In March 2026, MAS published a consultation paper proposing updated MAS TPRM guidelines that will expand the scope of what banks and financial institutions (FIs) must govern.
A real-world incident at a printing vendor that exposed data for thousands of DBS and Bank of China customers has already demonstrated why regulators are pushing harder. This article covers where the framework stands today, what’s coming next, and how FIs should be preparing now.
Singapore’s MAS TPRM guidelines are anchored in two legally binding notices: Notice 658 for banks and Notice 1121 for merchant banks, setting out what FIs must do when outsourcing relevant services to third parties. Both were announced on 11 December 2023 with a 12-month grace period, and both took full effect on 11 December 2024.
They replaced and cancelled the previous outsourcing guidelines (Notices 634 and 1108, last updated in 2018). Unlike the old guidelines (which were supervisory expectations), these notices carry binding legal force under Section 47A of the Banking Act 1970.
One important nuance: paragraphs 7.1 and 12.8 of Notice 658, which govern outsourcing register submission obligations to MAS, operate under a separate implementation timeline. Bond pricing supplements filed by major Singapore banks with SGX consistently note that “with the exception of paragraphs 7.1 and 12.8, the requirements in MAS Notice 658 have taken effect from 11 December 2024.”
The specific activation date for these paragraphs was to be communicated separately by MAS.
Under the MAS TPRM guidelines, Notice 658 applies to all banks operating in Singapore and Notice 1121 applies to merchant banks. Both are issued under Section 47A(2), (4), (6), (7) and (12) of the Banking Act 1970.
Responsibility for compliance sits with senior management, CISOs, and executives at these financial institutions. The notices do not apply directly to the third-party service providers themselves. The obligation sits squarely on the FI to manage, monitor, and document its vendor relationships.
The four core obligations MAS expects FIs to meet are well-established by now. Here’s where each stands in practice.
Under the MAS TPRM guidelines, banks and merchant banks must maintain a complete, current register of all outsourced service providers, available for submission to the Authority semi-annually and on demand.
Maintaining this register manually through spreadsheets is technically possible, but it creates real exposure: registers go stale, updates get missed, and producing a clean submission on short notice becomes a fire drill.
Cyber Sierra’s TPRM module maintains a continuously updated vendor inventory automatically, giving security teams a searchable, audit-ready record of how each vendor performs against MAS requirements.
The MAS TPRM guidelines require FIs to implement an appropriate third-party risk governance framework and designate an executive team for oversight. The notices specify two non-negotiable requirements here.
FIs can build a custom governance framework or adopt and adapt globally accepted frameworks such as SOC 2 or NIST. Cyber Sierra comes pre-built with customisable versions of these frameworks, and provides a single workspace for all stakeholders involved in oversight and review.
The MAS TPRM guidelines require FIs to evaluate vendors before engaging them and on a continuous basis afterward. Due diligence extends to fourth parties (the subcontractors a service provider uses). Vendors must provide evidence of meeting designated security assessment requirements, and that evidence must be current.
MAS expects vendors working with FIs to demonstrate compliance with designated security assessment requirements:
Cyber Sierra’s TPRM AI Analysts can request, receive, and review vendor evidence submissions automatically, flagging missing, insufficient, or irrelevant documents before a human reviewer has to engage. The platform also validates each uploaded evidence file against the relevant assessment questions.
This level of automation is why financial institutions rely on Cyber Sierra for third-party risk management. Take one global bank based in Singapore:
The MAS TPRM guidelines also require FIs to arrange for independent audits of their third-party vendors on an ongoing basis. The requirement is direct:
Working with independent auditors gives FIs an external perspective on vendor risk that internal teams can miss. But because MAS requires this on an ongoing basis, the process needs to be structured rather than ad hoc. Cyber Sierra provides auditors with a central platform to search, review, and flag vendors with security gaps, without the coordination overhead of email-based audit workflows.
Four months after Notices 658 and 1121 took full effect, a real-world incident demonstrated exactly the risk the framework is designed to address.
On 5 April 2025, Toppan Next Tech (TNT) notified DBS Bank that ransomware had hit its systems. Toppan handled printing of customer statements for DBS and several other banks.
Threat actors extracted account statements for approximately 8,200 DBS Vickers customers and around 3,000 Bank of China Singapore customers whose print communications were handled by Toppan. No core banking systems were breached. The attack was entirely on the third-party vendor’s infrastructure.
MAS and the Cyber Security Agency of Singapore (CSA) were both informed and monitored the situation. The incident was widely covered by Reuters and disclosed publicly by DBS the following day.
The significance here is straightforward. Toppan was not an IT service provider in the traditional sense. It was a printing vendor.
Under the broadened scope that MAS is now proposing (more on that below), vendors like Toppan that handle customer data would fall explicitly within the MAS TPRM guidelines framework. The incident is a clear signal that these guidelines are grounded in observed risk, not just regulatory theory.
On 6 March 2026, MAS published Consultation Paper P004-2026 proposing new Guidelines on Third-Party Risk Management (TPRMG). The consultation closed on 20 April 2026. Final guidelines are pending as of mid-2026, with a 6-month transition period expected from the date of issuance.
This is the headline development for any FI that considers its MAS TPRM guidelines compliance settled. The proposed TPRMG will supersede the existing Guidelines on Outsourcing, but Notices 658 and 1121 remain in place as binding law. Both the updated TPRM guidelines and the binding notices will apply simultaneously.
The current MAS TPRM guidelines focus on “outsourcing”: arrangements where the FI delegates a function it could perform itself. The proposed TPRMG expands this to cover all third-party arrangements, including:
Only a narrow set of arrangements is exempted: financial market infrastructures (clearing houses, SWIFT), utilities like telcos and electricity providers, and services unrelated to financial business where the provider has no access to customer or confidential data. Even exempted services must be covered by business continuity and incident response plans.
Law firm analysis from Reed Smith, Bird & Bird, Baker McKenzie, and Rajah & Tann identifies several requirements that go beyond what the current notices mandate:
The proposed TPRMG also runs parallel to a second March 2026 consultation on Updated Guidelines on Operational Risk Management, and to MAS’s November 2025 consultation on AI Risk Management Guidelines, which directly applies when FIs outsource AI or machine learning model development and deployment to third parties.
The 6-month transition window once the final MAS TPRM guidelines are published will move fast. FIs that wait for the final text before assessing their gaps will spend that window scrambling. The practical implication is that preparation should start against the proposed requirements now. The consultation is closed, and the direction is clear enough to act on.
Specifically, this means auditing which third-party arrangements currently fall outside your TPRM program (SaaS subscriptions, data vendors, intragroup arrangements), assessing concentration risk exposure, and verifying that exit plans exist and have been tested for critical providers.
Whether your focus is on meeting the current MAS TPRM guidelines or preparing for the proposed TPRMG expansion, the operational challenge is the same: managing vendor risk continuously rather than periodically, across a vendor population that only grows larger.
The Toppan incident made clear that even non-IT vendors with access to customer data create material exposure. The proposed TPRMG makes clear that MAS has drawn the same conclusion and is extending the governance perimeter accordingly.
The teams that handle this well are the ones that move TPRM from a compliance project (something done once a year ahead of an audit) to an ongoing operational function with automated evidence collection, continuous vendor monitoring, and audit-ready documentation available on demand.
Cyber Sierra’s TPRM module is built for exactly this: AI Analysts that review vendor evidence, flag gaps, and maintain audit trails continuously. When MAS asks for your vendor register or an auditor needs documentation, the answer is ready. See how the TPRM platform works in practice, or book a demo to walk through how it fits your current compliance program.
Yes. Both notices took full effect on 11 December 2024 and remain fully operative. The proposed TPRMG, once finalised, will supersede the existing Guidelines on Outsourcing, but the MAS TPRM guidelines in Notice form carry binding legal force under the Banking Act 1970 and will remain.
The current MAS TPRM guidelines apply specifically to “outsourcing” arrangements where an FI delegates a function it could perform itself. The proposed TPRMG expands this to cover all third-party arrangements, including SaaS platforms, data vendors, intragroup services, fintech partnerships, and cloud services.
The TPRMG also introduces new requirements around concentration risk, exit planning, and group-level oversight.
No. The proposed TPRMG will supersede the Guidelines on Outsourcing (the non-binding guidelines layer), but Notice 658 and Notice 1121 remain in force as binding notices issued under the Banking Act. When the TPRMG is finalised, FIs will need to comply with both.
In April 2025, printing vendor Toppan Next Tech suffered a ransomware attack that resulted in customer statement data being extracted for approximately 8,200 DBS Vickers customers and around 3,000 Bank of China Singapore customers.
No core banking systems were compromised. The incident highlighted that third-party vendors with access to customer data, even non-IT vendors, represent material exposure under the MAS TPRM guidelines framework.
The consultation paper was issued on 6 March 2026 and closed on 20 April 2026. As of mid-2026, final guidelines have not been published. Once issued, FIs will have a 6-month transition period to comply. Preparation against the proposed requirements can begin now. The direction is clear from the consultation paper and supporting law firm analysis.
Cyber Sierra’s TPRM module provides AI Analysts that automate vendor evidence review, flag missing or insufficient documentation, maintain audit trails, and support continuous vendor monitoring, replacing the manual, email-based workflows that most TPRM teams currently rely on. The platform also maintains a continuously updated vendor registry suitable for MAS register submission requirements.
A weekly newsletter sharing actionable tips for CTOs & CISOs to secure their software.
Please check your email to confirm your email address.
Find out how we can assist you in completing your compliance journey.
The Hong Kong Monetary Authority (HKMA) updated its outsourcing regulations in December 2023. Click to learn more.
Learn how to protect your business from cyber attacks when working with third-party vendors. Find out about compliance certifications, cyber insurance, and two-factor authentication in our blog.
MAS March 2026 TPRM consultation expands scope beyond material outsourcing. 5 obligations Singapore FIs must act on: vendor register, continuous monitoring, AI/cloud due diligence.