Regulatory environment hindering S’pore FSIs from embracing the public cloud

The regulatory environment that financial services institutions (FSIs) are working under often tends to constrain moves on to public cloud environments due to concerns that it may cause regulators to downgrade their risk rating.

Whilst some financial organisations have begun to deploy public cloud services for non-mission critical application and workloads, by and large the majority have avoided public cloud and maintained a strict on-premise or private cloud environment.

Gartner estimates that, since 2013, regulatory bodies have introduced more stringent cloud vendor risk management guidelines, making compliance with regulatory standards more challenging for business leaders. It estimates that public cloud services in APAC would rise from US $7.4 billion in 2015 to US $11.5 billion in 2018, a compounded annual growth rate (CAGR) of 11.65 percent.

The Infocomm Development Authority of Singapore (IDA) as well as research firm IDC have, meanwhile, listed cloud computing as a key pillar for Singapore to achieve its vision of becoming the world’s first Smart Nation. Adoption among the financial services industry will play a key part in this growth.

Singaporeans FSIs have several compliance regulations to be considered before moving into an outsourced or cloud environment for their IT, these include the  Monetary Authority of Singapore (MAS) Technology Risk Management (TRM) Notice and Guidelines (2013); the MAS Outsourcing Guidelines (updated 2016); and the IDA Personal Data Protection Act (2012).

These documents act as a set of guidelines to guide FSIs as they move into cloud environments and ensure they adopt proper governance and risk management.

At a high level these controls are:

  1. Board and Senior Management must retain accountability and oversight;
  2. Proper governance is put in place, including the right organisational and management structures, policies, processes and procedures;
  3. Use an effective technology risk management framework on an ongoing basis;
  4. Organisations must retain a register of all outsourcing agreements;
  5. Management of IT outsourcing should be done to perform due diligence and to assesses that outsourcing remains appropriate and effective;
  6. Information systems should have security controls planned during design, and should be properly project managed, reviewed and tested;
  7. Ensure there is a strong IT Service Management process that includes change, program migration, incident, problem and capacity management;
  8. Build systems for availability and recoverability including redundancy, recovery planning and testing at least annually and data backups;
  9. Operational Security management should include data classi cation, strong access controls and encryption for data at rest, in motion and at end points.
  10. Security baselines should be established and monitored, network security devices such as firewalls implemented, and vulnerability assessments, penetration tests and security monitoring, including log reviews, should be put in place.
  11. Data centres should have a threat and vulnerability risk assessment (TVRA) performed on them. Physical security should be strong, with controlled access, guards and security surveillance systems.
  12. Access controls should be done according to key principles including ‘never alone’ (or ‘four eyes’) for critical activities, segregation of duties and the ‘need to have’ basis. The activity logs for privileged access should be reviewed to ensure only the approved actions took place.
  13. Online systems should be secure with encryption, strong authentication and monitoring in place. Users should be educated by the FI.
  14. For payment cards, encrypt card data and use secure chips and not magnetic stripes.
  15. ATMs and payment kiosks should have security such as anti-skimming, tamper-proo ng and video surveillance on own and 3rd-party kiosks.
  16. An independent IT audit function should be used, who should perform comprehensive audits and track any issues through to resolution.