THE Monetary Authority of Singapore (MAS) on Wednesday issued new guidelines on outsourcing risk management to financial institutions to watch risks from outsourcing. These also include guidelines on the use of cloud services for the first time.
"While outsourcing can bring about cost and other benefits, it may increase the risk profile of an institution," the central bank said.
Among factors that banks and other financial companies should look at in the area of cloud services, are the multi-tenancy, data commingling and the higher propensity for processing to be carried out in multiple locations, MAS noted.
"Institutions should take active steps to address the risks associated with data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance and auditing," said MAS.
"Institutions should ensure that the service provider possesses the ability to clearly identify and segregate customer data using strong physical or logical controls. The service provider should have in place robust access controls to protect customer information and such access controls should survive the tenure of the contract of the cloud services."
MAS said that in recent years, cloud technology has evolved and matured considerably, and providers have become aware of the technology and security requirements of institutions to protect sensitive customer data. For example, they have put in place strong authentication, access controls, tokenisation techniques and data encryption to bolster security.
MAS considers cloud services operated by service providers as a form of outsourcing, and that the risks from cloud services "are not distinct" from those of other forms of outsourcing arrangements.
"Institutions should perform the necessary due diligence and apply sound governance and risk management practices articulated in this set of guidelines when subscribing to cloud services," it said.
"A risk-based approach should be taken by institutions to ensure that the level of oversight and controls are commensurate with the materiality of the risks posed by the cloud services."
Under the new guidelines, financial institutions also no longer have to pre-notify MAS of material outsourcing arrangements.
But MAS has revised the definition of "material outsourcing arrangement". This will now include outsourcing arrangements that involve customer information, and in the event of any unauthorised access or disclosure, loss or theft of such data, may have a material impact on an institution's customers.