Cloud Computing System for Banks Should Be Located in Pakistan: SBP

State Bank of Pakistan (SBP) has directed banks to utilize cutting-edge Cloud Computing technology. However, their systems and service providers shall be located in Pakistan along with all physical servers and services that are also operable from within Pakistan.

The central bank made strict its condition for using Cloud Computing services by the banks though previously up to 30 percent of services could be availed from outside the country through foreign service providers that have an edge on local companies.

SBP rolled out a draft of “Framework on IT Governance and Risk Management in Financial Institutions” for commercial banks, microfinance banks and DFIs in which it touched upon various aspects of IT applications in the banking industry.

Cloud Computing Services

SBP directed that banks shall perform an enhanced level of due diligence for all forms of outsourcing arrangements involving cloud environment. Specifically, these financial institutions shall be aware of cloud computing’s unique attributes and risks especially in areas of data integrity, sovereignty, commingling, platform multi-tenancy, recoverability and confidentiality, regulatory compliance and auditing.

Banks shall segregate their data and applications into core and non-core categories to ensure that the core applications and business processes (which use customer’s identification and/or transactional data) are not used in public cloud computing.

They shall ensure that applications/systems which use customer’s identification (KYC/CDD) data and/or transactional data/information shall not be placed in a cloud environment.

The central bank directed that commercial banks shall ensure strict adherence to the principles while entering into an arrangement with vendors and service providers involving cloud computing.

Commercial banks should maintain complete transparency as to where data will be physically processed and stored under Cloud Computing setup.

Customers’ data must be segregated from other data held by the Service Provider while their data will not be used for any other purpose other than that which is necessary to provide.

Role of Banks’ BoD on IT Strategy

SBP, in its draft framework, directed that bank’s board of directors shall approve overall Enterprise IT strategy in line with the business strategy of the organization and monitor and update the same on regular basis keeping in view upcoming opportunities and threats.

Banks BoD shall approve an IT governance framework to ensure that organization’s IT infrastructure supports and enables the achievement of the corporate strategies and objectives.

BoD shall approve all IT Management and Information/cyber Security policies and review report on the effectiveness of the information security program at least on annual basis. They will oversee a safe, sound, controlled and efficient IT operating environment that supports the institution’s goals and objectives.

Cyber Security Action Plan

Banks shall formulate Cyber Security Action Plan in order to anticipate, withstand, detect, and respond to cyber attacks in line with international standards and best practices. They shall implement appropriate controls to prevent any cyber security incident depending on the size and complexity of its IT environment.

Board-level and senior management-level engagement is critical to the success of firms’ cyber security programs, along with a clear chain of accountability. Banks shall establish and maintain a robust and properly implemented cyber security awareness program, and ensure that end-users are aware of the importance of protecting sensitive information and the risks of mishandling information.

Banks management shall be aware of and mitigate risks associated with IT operations. Banks and its service providers may have one or more IT operations groups. Common examples of IT operations are data center or computer operations, network services, distributed computing, personal or desktop computing, change management, project management, security, resource management, and contingency and resiliency planning. Many operations functions have significant risk factors that shall be addressed through effective management and control.

SBP has developed this framework to keep abreast with the aggressive and widespread adoption of technology in the financial service industry and consequently strengthen existing regulatory framework for IT risk supervision. The framework is broadly based on COBIT framework that shall be integrated with the financial institutions’ overall enterprise risk management program.

All commercial and microfinance banks are directed to upgrade their systems, controls and procedures to ensure compliance with these instructions latest by December 31, 2017.