The Monetary Authority of Singapore (MAS) has issued new guidelines on outsourcing which endorse cloud computing as a legitimate means of outsourcing for firms operating in the country.
Technology law expert Bryan Tan of Pinsent Masons MPillay, the Singapore joint venture partner of Pinsent Masons, the law firm behind Out-Law.com, said the new guidance "represents the clearest indication to date of acceptance by MAS of cloud computing" and would be welcomed by the finance industry and cloud service providers.
MAS said it recognised the attraction for financial firms of being able to access "scalable, standardised and secured infrastructure" via cloud services [CS]. It said the kind of risks that arise in using cloud services are "not distinct from that of other forms of outsourcing arrangements" but set out a number of requirements firms will have to meet to adopt cloud services in a way which complies with Singapore regulations.
"Institutions should be aware of CS’ typical characteristics such as multi-tenancy, data commingling and the higher propensity for processing to be carried out in multiple locations," MAS said. "Hence, institutions should take active steps to address the risks associated with data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance and auditing."
"In particular, institutions should ensure that the service provider possesses the ability to clearly identify and segregate customer data using strong physical or logical controls. The service provider should have in place robust access controls to protect customer information and such access controls should survive the tenure of the contract of the CS," it said.
MAS confirmed that while firms can outsource services to cloud providers they will be "ultimately responsible and accountable for maintaining oversight" of those services and for "managing the attendant risks".
"A risk-based approach should be taken by institutions to ensure that the level of oversight and controls are commensurate with the materiality of the risks posed by the CS," MAS said.
Under the new guidance Singapore firms will no longer be under an obligation to pre-notify MAS of "material outsourcing arrangements" but will be required to demonstrate their compliance with the guidance to the regulator, including through submissions of the register they need to keep of material outsourcing arrangements at least annually or upon request.
A material outsourcing arrangement is defined by MAS as "an outsourcing arrangement which, in the event of a service failure or security breach, has the potential to either materially impact an institution’s business operations, reputation or profitability; or ability to manage risk and comply with applicable laws and regulations, or which involves customer information and, in the event of any unauthorised access or disclosure, loss or theft of customer information, may have a material impact on an institution’s customers".
MAS stressed that the board and senior management at firms have "pivotal roles" in setting a risk management culture that allows their business to give appropriate oversight to outsourcing arrangements.
Firms considering outsourcing, whether at the point of contracting for the first time, renewal or renegotiation, must "subject the service provider to appropriate due diligence processes to assess the risks associated", it said.
The assessment should look into the cloud provider's "capability to employ a high standard of care in the performance of the outsourcing arrangement" as well as their "physical and IT security controls …, the business reputation and financial strength of the service provider, including the ethical and professional standards held by the service provider, and its ability to meet obligations under the outsourcing arrangement".
Firms should carry out on-site visits as part of the due diligence process, and, where possible, obtain third party reviews and feedback on the cloud provider "to supplement the institution’s assessment", MAS said.
The guidance has also outlined what provisions financial firms in Singapore must include within their outsourcing contracts.
Those provisions include basics like what the scope of the outsourcing arrangement is, and clauses on business continuity management and confidentiality and security, to additional specifications of "the type of events and the circumstances under which the service provider should report to the institution in order for an institution to take prompt risk mitigation measures and notify MAS of such developments".