SINGAPORE Law and Practice Contributed by: Lim Chong Kin, Drew & Napier LLC
Sector-Specific Regulation Apart from the PDPA and the Cloud Services Guidelines, the use of CSPs in the financial sector is subject to additional regulation by the sectoral regulator (the MAS). In this respect, the MAS has published the following guidelines for financial institutions (FIs), setting out its posi - tion on cloud computing and cloud outsourcing arrangements: • Technology Risk Management Guidelines; • ABS (Association of Banks in Singapore) Cloud Computing Implementation Guide 3.0; • Guidelines on Outsourcing; and • Advisory on Addressing the Technology and Cyber Security Risks Associated with Public Cloud Adoption. In general, these guidelines provide guidance to FIs on: • maintaining data, infrastructure and network security; • sound practices on risk management of out - sourcing arrangements; and • the use of cloud computing platforms. FIs are encouraged to conduct appropriate due diligence on CSPs and to evaluate the risks before entering into a cloud outsourcing arrangement. The risk assessment should also be performed periodically on existing outsourc - ing arrangements, as part of the approval, stra - tegic planning, risk management or internal con - trol reviews of the outsourcing arrangements of the FI. Specific Issues Regarding Personal Data Protection The transfer limitation obligation under the PDPA requires the contract or BCRs to expressly state the locations to which the personal data may be
missioner of Cybersecurity, comply with codes of practice, standards of performance or writ - ten directions, and notify the Commissioner of Cybersecurity of any prescribed cybersecurity incident. Industry Standards and Codes of Conduct The Multi-Tier Cloud Security (MTCS) Singapore Standard (SS584) is the primary local indus - try standard for determining the level of cloud security provided by CSPs. The MTCS has three levels of security, with Level 1 being the base standard and Level 3 being the most stringent standard. The adoption of the MTCS is voluntary for CSPs, unless they are participating in bulk tenders for government procurement of public cloud services. Under the PDPC’s Cloud Services Guidelines, MTCS Level 3 certification could give organisa - tions assurance of the CSP’s ability to comply with the protection obligation under the PDPA. The PDPC has also published the 2018 Guide - lines for Cloud Outage Incident Response (COIR) (TR 62:2018). Under the voluntary COIR framework, cloud service customers (CSCs) can choose appropriate outage protection measures that would complement their business continu - ity/discovery recovery capabilities through a set of guidelines that assist CSCs in identify - ing, evaluating and negotiating protection needs with CSPs to incorporate into their service-level agreements, and the sharing of COIR practic - es by CSPs through the same set of common parameters. While the adoption of the COIR guidelines is voluntary, CSPs are encouraged to self-disclose their service support capabilities with respect to service outages.
409 CHAMBERS.COM
Powered by FlippingBook