The Monetary Authority of Singapore (MAS) has consulted financial institutions and will update its outsourcing guidelines to reflect MAS’ expectations on the use of cloud computing services, according to Singapore trade and industry minister Lim Hng Kiang,
As well as holding the trade and industry portfolio, Lim is the deputy chairman of MAS, Singapore’s central bank and financial regulatory authority. He announced the updates in a speech made at a banking industry dinner last week.
“MAS recognizes cloud services can offer various benefits such as scalability and advanced functionalities, and is amenable to banks leveraging on cloud services to fulfil their business and operational needs,” said the minister. “MAS expects banks to ensure that their risk management measures are commensurate with the nature, scope and complexity of the cloud deployment models that they adopt.”
There will be a greater emphasis on the safeguarding of customer information held by banks and its service providers, said Lim, and “outsourcing arrangements involving certain customer information will be subject to a higher standard of care”.
Finally, there will be a greater focus on the outsourcing risk management framework of financial institutions, which MAS will continue to assess and monitor. While the revised guidelines will no longer require FIs to pre-notify MAS of any outsourcing arrangements, FIs will be held responsible for ensuring the safety of all of their outsourcing arrangements.
A growing number of guidelines and standards have been developed over the years to address cloud resilience and security in Singapore. Just earlier this year, the Infocomm Development Authority (IDA) had unveiled a set of Cloud Outage Incident Response (COIR) guidelines that tells enterprises and cloud service providers (CSPs) how to respond to a cloud outage.
Separately, the Multi-Tier Cloud Security (MTCS) standard was developed by the Information Technology Standards Committee (ITSC) in 2013 to help businesses understand the different cloud service providers’ (CSPs) offerings better by certifying their security practices.
In addition, MAS had also published a set of Technology Risk Management Guidelines, which is a set of specifications for FIs that spans from cyber security to physical infrastructure to mitigate physical threats.