Navigating Public Cloud Compliance in Singapore: Regulations to Consider When Moving to a Cloud Environment

With heavy regulations surrounding financial services institutions (FSIs) in Singapore, the industry’s adoption of the public cloud has started off slowly. To make the transition to the public cloud less overwhelming, FSIs should start by focusing on a few main areas of compliance.

The first thing to keep in mind is the Monetary Authority of Singapore (MAS) and Technology Risk Management (TRM) notice and guidelines. The MAS TRM is split into a short, legally binding notice (Notice 644) and more comprehensive guidelines. This risk assessment for the MAS is critical to the business. If a company has a poor risk rating, then applications for licences to start new lines of business or for expansion of existing lines are likely to be refused.

Let’s look at Notice 644 in more detail. It requires the following:

  • A framework to identify critical systems
    • Critical systems are defined as those that will cause serious disruption to bank operations or materially impact service to the customer.
  • High availability for critical systems
    • Unscheduled downtime cannot exceed four hours in 12 months.
    • As such, the recovery time objective needs to be documented and tested every 12 months.
  • FSIs must report relevant incidents to the MAS within the hour and provide root cause analysis within 14 days.

In addition to the above, Notice 644 states, “A bank shall implement IT controls to protect customer information from unauthorised access or disclosure.” This part serves as a “catch-all,” indicating the best way to comply with this requirement is to comply with the TRM guidelines.

The second part of the MAS TRM guidelines includes a comprehensive list of recommended control mechanisms. These guidelines look at the operational security of the business, stating that board and senior management must retain accountability and oversight for all technology operations and risks. As such, the MAS and TRM requires a business ensure the proper governance is put in place, including the right organisational and management structures, policies, processes, and procedures. This section also includes a much more detailed view of exactly what controls are required and the assistance that can be given can be provided by Datapipe on request. The MAS TRM aim to ensure that there is proper IT management and that all systems are security tested from the get-go with monitoring happening on an ongoing basis.

Third, the MAS also provides outsourcing guidelines to ensure that risk is properly mitigated for IT service providers outside of the organization. The MAS does consider the public cloud a form of outsourcing. More of these requirements on outsourcing risk management can be found on the MAS government page. We will be exploring what these guidelines are and how best to navigate them in an upcoming post in this series.

Lastly, the Personal Data Protection Act (PDPA) must be taken into consideration when moving into the public space. This act is aimed at the collection and use of personal data, but has relevance to the public cloud in that the PDPA requires that data collected is properly protected through reasonable security arrangements or controls to prevent unauthorized access, collection, use, disclosure, or similar risks. Since this data is residing in the public cloud, the organization must have a way to cease retention of personal data or disassociate the personal data with an individual per the PDPA’s Retention Limitation Obligation.

These numerous compliances, regulations, and guidelines are complex and difficult to navigate. This often serves as a deterrent for FSIs looking to take advantage of the public cloud. Managed service providers can guide FSIs through these complexities, ease the transition to the public cloud, and provide the secure and highly available environment mandated in Singapore.

To learn more about compliance regulations, guidelines, and other recommendations, download our white paper.