News

MAS Issues Circular on Technology and Cyber Security Risks of Public Cloud Services

Jul 01 2021 | by OrionW

Financial institutions (FIs) increasingly rely on public cloud services to implement their customer-facing and back office electronic services.  Younger FinTech companies may have their entire technology infrastructure in the cloud.  The technology, operational, staffing and financial benefits of public cloud services are many, but those benefits come with a different risk profile than technology implemented on an FI’s premises.  The Monetary Authority of Singapore (MAS), Singapore’s financial regulator, published a June 2021 circular advising FIs of MAS’s views of the technology and cyber security risks associated with public cloud services (Circular).  The Circular supplements MAS’s other notices and guidelines, including the Notice on Technology Risk Management, Notice on Cyber Hygiene and Outsourcing Guidelines.

Public cloud services enable public access via the Internet to shared resources such as servers, storage and applications.  Customers manage their use of those resources through sophisticated interfaces and can scale their use of resources on demand.  Public cloud services providers (CSPs) include Amazon Web Services, Microsoft, Alibaba Cloud and SAP. Service models range from infrastructure-as-a-service (IaaS) to platform-as-a-service (PaaS) to software-as-a-service (SaaS).

The Circular reminds FIs that they are ultimately responsible for managing the risks related to their use of public cloud services and must do so in a way that is tailored to their individual needs and the service model they implement:

A risk-based approach should be taken to ensure that risk[s] associated with the use of public cloud services are adequately addressed, and to ensure that the level of governance and controls are commensurate with the risks posed by public cloud services.

MAS’s risk-based approach to public cloud services is consistent with its regulatory philosophy in many other aspects of its oversight of Singapore’s financial sector.  The high-level implications for FIs of the risk-based approach to public cloud services include:

  • Qualified Staff.  FIs intending to integrate public cloud services into their businesses must have staff who are qualified to understand and manage the attendant risks.
  • Thoughtful Risk Management Strategy.  FIs must rely on their qualified staff to develop and implement comprehensive risk management strategies aligned with their individual cloud configurations and consistent with their risk appetite.  Risks to be managed include the full range of technology risks as well as business risks such as outsourcing, vendor lock-in and concentration risks, whether it is appropriate to move a particular service or function to the cloud at all, and whether a CSP is a good match for the services proposed to be implemented in their cloud.
  • Robust CSP Performance Evaluation and Cloud Services Agreement.  FIs must ensure their ability to operate their businesses, manage risks, fulfil customer obligations and satisfy regulatory requirements through pre- and post-engagement evaluations of, and robust service agreements with, their CSPs.
  • Strong Technology Risk Management Controls and Active Oversight.  Implementing a cloud solution is not a set-it-and-forget-it exercise.  FIs must actively manage the technology risks related to public cloud services, through such methods as security-in-the-cloud, application security, data security and encryption, and identity and access management.

Key Takeaway

In keeping with MAS’s risk-based approach, the Circular does not impose mandatory requirements on FIs nor prescribe particular methods of managing the risks related to public cloud services.  Nevertheless, FIs are now on notice of the risks and risk management techniques outlined in the Circular and are well-advised to carefully consider and, where appropriate, to adopt those techniques.  Otherwise, an FI should be prepared to respond to questions from MAS during a supervisory review about why a technique was not adopted, particularly if the technique targets a risk that has materialised.

For more information

OrionW regularly advises clients on financial technology matters.  For more information about the Circular, or if you have questions about this article, please contact us at fintech@orionw.com.

Disclaimer: This article is for general information only and does not constitute legal advice.