MALAYSIA Law and Practice Contributed by: Janet Toh, Irene Yong, Krystle Lui and Boo Cheng Xuan, Shearn Delamore & Co.
tions with BNM prior to public cloud adoption for critical systems (including demonstrating readi - ness to adopt public cloud for critical systems, and measures mitigate identified risks based on Appendix 10 of the RMiT PD), notifying BNM on the subsequent adoption of public cloud for critical systems (including providing assurance on enhanced incident response due to adverse events), and inclusion of a roadmap for cloud adoption (for both critical and non-critical sys - tems) in the annual outsourcing plan submitted to BNM. The RMiT PD also prescribes requirements on the management of third-party service providers, defined to include cloud computing software, platform and infrastructure service providers, and would presumably also include providers of edge computing solutions. Among others, ser - vice level agreements must be in place when engaging such providers, and must contain the mandatory terms required by the RMiT PD, some of which are specific to the use of cloud services. Note that revision to the RMiT PD may be under - way, in light of the Exposure Draft on Risk Man - agement in Technology released by BNM on 7 November 2024, opened for public feedback until 31 January 2025. Policy Document on Outsourcing The Policy Document on Outsourcing, issued 23 October 2019 (the “Outsourcing PD”), requires outsourcing arrangements which qualify as material outsourcing (which would include out - sourcing relating to cloud and edge computing that is material) to be approved by BNM in writing before the financial institution enters into such arrangements or makes significant modification to such existing arrangements, and all planned outsourcing arrangements (whether material or
otherwise) to be notified to BNM through the submissions of the yearly outsourcing plan. Specifically for material outsourcing for the use of cloud service providers, in an application for the aforementioned BNM’s approval, details of the cloud service, deployment model, nature of data to be held and locations (eg, city and coun - try) where such data is stored, including back- up locations, must be provided. Some of such information is also required to be included in a register of all of the financial institution’s out - sourcing arrangements. Due to the oft-cross-border nature of cloud ser - vice delivery, the requirements on outsourcing outside Malaysia (ie, where the service provider is located or performs the outsourced activity outside Malaysia), including those relating to the due diligence process and the financial institu - tion’s business continuity plan, shall also be carefully considered. Effective measures to address risks associated with data accessibility, confidentiality, integrity, sovereignty, recoverability and regulatory com - pliance should be taken, particularly due to the geographically dispersed cloud computing infra - structure. The Outsourcing PD requires outsourcing arrangements to be governed by written agree - ments containing the mandatory terms stipulat - ed therein, some of which are specifically related to cloud services, for example to address the right of the financial institution to conduct audits and inspections on the cloud service provider, including reliance on third party certifications and reports made available by cloud service providers, and the testing of a cloud service provider’s business continuity plan.
225 CHAMBERS.COM
Powered by FlippingBook