The new Guidelines on Outsourcing Risk Management ("Guidelines") issued by the Monetary Authority of Singapore ("MAS") on 27 July 2016 also contained a set of guidance ("Guidance") specifically on the use of cloud services.
Several financial institutions ("FIs") in Singapore have successfully rolled out cloud solutions in the past two years, with the most recent example being DBS Bank. In late July, the bank announced two major cloud computing deals with Amazon Web Services and Microsoft.
Amidst the many advantages that cloud services has to offer, FIs are reminded to adopt appropriate risk management practices in leveraging on and reaping the benefits of cloud services.
Guidance on Outsourcing Cloud Services
MAS considers cloud services operated by services providers as a form of outsourcing. FIs should therefore perform the necessary due diligence and apply sound governance and risk management practices set out in the Guidelines when subscribing to cloud services.
A summary of the new Guidelines may be found in the article above.
FIs are reminded to take active steps to manage risks that may arise from characteristics typical to cloud services, such as multi tenancy, data commingling and the higher propensity for processing to be carried out in multiple locations. The areas of risks that use of cloud services are susceptible to include data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance and auditing.
In particular, FIs should ensure that service providers are able to clearly identify and segregate customer data using strong physical or logical controls, and have in place robust access controls to protect customer information which services the tenure of the outsourcing contract.
Ultimately, a risk-based approach should be taken by the FIs to ensure that the level of oversight and controls are commensurate with the materiality of the risks posed by cloud services.
A copy of the new Guidelines may be found here.