The Association of Banks in Singapore (ABS) has recently released the second version of the implementation guide for Financial Institutions (FIs) when entering into Cloud outsourcing arrangements, as well as the on-going maintenance. The first version was released in 2016 and significant technological advancements since then have prompted the ABS to release an update to address these changes. It is also intended to further support the practice of migrating material workloads to the Cloud, including systems of record and those classified as Monetary Authority of Singapore (MAS) Critical. Please refer to MAS Notice 644 for the definition of MAS Critical.
The Guide is intended to assist Financial Institutions in understanding approaches to due diligence, vendor management and key controls that should be implemented on an on-going basis in Cloud outsourcing arrangements. It can also be used by Cloud Service Providers (CSPs) to better understand what is required to achieve successful Cloud outsourcing arrangements with FIs.
Cloud outsourcing classification
ABS has also provided guidance as to the definition of differing risk categories in Cloud outsourcing arrangements and what is likely to constitute material and non-material outsourcing in the context of cloud. This guidance helps FIs understand the inherent risk profile of a Cloud Outsourcing arrangement, and then ensure that appropriate controls are in place.
A broad guideline for the classification of material and non-material outsourcing is given as below. This is to be used as only a broad guideline and the final decision should be made based on the FI’s risk appetite.
Cloud Outsourcing Category
Non-Material Common characteristics:
• Staff data which does not include bank account or credit card data (e.g. information on name cards)
• Development and Test environments
• Services not defined as ‘critical’
• Application binaries, or risk management quant libraries that are being tested on masked data (i.e. performance & volume testing, regression testing, or Monte Carlo simulations)
• Information Security solutions such as Managed Security Services / Operations Centres, where information assets are encrypted and logically segregated
• Websites for accessing information that is classified as ‘public’
• Service Management applications
Material Common characteristics:
• Use of customer information, the unauthorized access or disclosure, loss or theft of which may have a material impact on the customer
• Use of staff data, including Personally Identifiable Information (PII), payroll and bank account or credit card data
• Software used for the trading of financial instruments or other transactions
• Financial Risk management systems (Market, Credit and Liquidity)
• Non-public commercially sensitive information that could influence financial markets
• Regulatory reporting or accounting data
• Outsourced business activity as defined as critical by the FI
• Systems of record, including core banking applications
• Any Cloud based implementation of a system classified as ‘MAS Critical’
• Email and document storage
• Authentication services providing One Time Passwords (OTP) or 2 Factor Authentication (2FA)
• Vulnerability Scanning Services
Activities recommended as part of due diligence
ABS has further laid out recommended due diligence process and vendor management activities for Cloud outsourcing arrangements. The recommendations cover pre-engagement of the CSP as well as on-going risk assessment and oversight. Again, FIs are recommended to take a risk-based approach and understand the applicability for their specific outsourcing arrangement.
FIs are encouraged to establish a risk management and governance framework to assist in the identification and monitoring of risks during cloud adoption. Expectations should be agreed between the CSP and the FI, in particular with regard to operational contract management, SLA management, technology risk management, business continuity management and contract exit. The contractual terms and conditions governing the roles, relationships, obligations and responsibilities of all contracting parties are set out fully in written agreements.
Assessment of the Cloud Service Provider
ABS has highlighted data confidentiality, financial, operational and reputational factors including the ethical and professional standards held by the CSP and the CSP’s ability to comply with its obligation under the outsourcing arrangement as top considerations while assessing a CSP.
The scope of assessment of a CSP should minimally include the DC’s perimeter, physical and environmental security, natural disasters, and the political and economic climate of the country in which the Data Centre resides.
When negotiating a contract with a CSP, the FI should ensure that it has the ability to contractually enforce agreed and measurable information security and operational requirements. FI is directed to ensure that outsourcing contract includes:
- responsibilities of contracting parties to address the scope of the services and the applicable baseline security policies and practices
- ensuring the CSP can protect the confidentiality and integrity of FI’s information
- provision to review and monitor the security practices and control processes of the service provider on a regular basis
FI should understand and agree with CSP on the change management process in relation to the services provided, and the impact assessment criterions in relation to the SLA in the contract. The FI should ensure that the outsourcing agreement includes an obligation for the CSP to provide notification to the FI in the event of any significant changes that may impact service availability (including controls and/or location).
As financial institutions scale up the use of Cloud services, the updated guidelines reflects industry best practices to facilitate responsible and secure adoption by setting clear expectations for both banks and service providers.
Cloud Kinetics has a proven track record of working with global banks and facilitating their cloud journeys. Contact Us for cloud outsourcing.