Financial institutions (FIs) increasingly rely on public cloud services to implement their customer-facing and back office electronic services. Younger FinTech companies may have their entire technology infrastructure in the cloud. The technology, operational, staffing and financial benefits of public cloud services are many, but those benefits come with a different risk profile than technology implemented on an FI’s premises. The Monetary Authority of Singapore (MAS), Singapore’s financial regulator, published a June 2021 circular advising FIs of MAS’s views of the technology and cyber security risks associated with public cloud services (Circular). The Circular supplements MAS’s other notices and guidelines, including the Notice on Technology Risk Management, Notice on Cyber Hygiene and Outsourcing Guidelines.
Public cloud services enable public access via the Internet to shared resources such as servers, storage and applications. Customers manage their use of those resources through sophisticated interfaces and can scale their use of resources on demand. Public cloud services providers (CSPs) include Amazon Web Services, Microsoft, Alibaba Cloud and SAP. Service models range from infrastructure-as-a-service (IaaS) to platform-as-a-service (PaaS) to software-as-a-service (SaaS).
The Circular reminds FIs that they are ultimately responsible for managing the risks related to their use of public cloud services and must do so in a way that is tailored to their individual needs and the service model they implement:
A risk-based approach should be taken to ensure that risk[s] associated with the use of public cloud services are adequately addressed, and to ensure that the level of governance and controls are commensurate with the risks posed by public cloud services.
MAS’s risk-based approach to public cloud services is consistent with its regulatory philosophy in many other aspects of its oversight of Singapore’s financial sector. The high-level implications for FIs of the risk-based approach to public cloud services include:
In keeping with MAS’s risk-based approach, the Circular does not impose mandatory requirements on FIs nor prescribe particular methods of managing the risks related to public cloud services. Nevertheless, FIs are now on notice of the risks and risk management techniques outlined in the Circular and are well-advised to carefully consider and, where appropriate, to adopt those techniques. Otherwise, an FI should be prepared to respond to questions from MAS during a supervisory review about why a technique was not adopted, particularly if the technique targets a risk that has materialised.
OrionW regularly advises clients on financial technology matters. For more information about the Circular, or if you have questions about this article, please contact us at firstname.lastname@example.org.
Disclaimer: This article is for general information only and does not constitute legal advice.