RIZWAN BHATTI

KARACHI: The State Bank of Pakistan (SBP) on Monday issued “Framework on Outsourcing to Cloud Service Providers (CSPs)” to set out minimum requirements for SBP’s Regulated Entities (REs) to outsource their material and non-material workloads through a risk-based approach in a safe and secure manner.

In order to enable SBP’s regulated entities to design and offer innovative products and services by embracing the cloud technology and effectively manage the risks arising out of these arrangements, SBP has developed ‘Framework on Outsourcing to Cloud Service Providers’.

As per SBP, the framework has sets out minimum requirements for Banks, Digital Bank, Microfinance Banks, Development Finance Institutions, Elec-tronic Money Institutions, Payment System Operators and Payment System Providers to outsource their material and non-material workloads to CSPs through a risk-based approach in a safe and secure manner. Henceforth, all cloud outsourcing arrangements by the SBP’s regulated entities will be governed under this framework.

REs may outsource their workloads to CSPs in the manner as prescribed in the framework. SBP has directed the REs to ensure that all existing cloud outsourcing arrangements are compliant with the requirements of the framework by December 31, 2023.

This framework sets out minimum requirements for REs to outsource their material and non-material workloads to CSPs. However, certain requirements which are applicable only on the material workloads have been specifically mentioned.

For the purpose of these regulations, material workload means all systems, applications, and services that are fundamental for carrying out business of an RE, and if disrupted, have the potential to significantly impact an institution’s business operations, reputation or profitability.

REs may outsource all types of workloads to reputable onshore CSPs. However, outsourcing of their material workloads to offshore CSPs will be subject to SBP approval whereby SBP may grant approval on case-to-case basis, after considering the systemic implications of the CO arrangement

For approval to outsource material workloads to offshore CSPs, banks, MFBs, DBs and DFIs will be required to submit their request to SBP and while granting approval to banks, MFBs, DBs, DFIs and designated PSOs/ PSPs, SBP may impose additional terms and conditions over and above the requirements of this framework.

The structure and processes for managing CO arrangement are vital for maximizing the benefits, and managing the associated risks. REs planning to outsource their workloads to CSPs need to consider adapting their organizational structure for effective and efficient oversight of CSPs, specifically pertaining to performance, operational effectiveness of controls and remediation.

REs must exercise reasonable care before entering into CO arrangements. To ensure effective management of the associated risks, REs have been advised to conduct reasonable due diligence of the CSPs and their material subcontracting arrangements by using defined criteria.

Outsourcing of the workloads to the CSPs does not relieve the REs from the responsibility of safeguarding data confidentiality and integrity and in this regard, REs must ensure that their data in the cloud environment is clearly identifiable and segregated.

The dynamic and evolving nature of cyber threats requires a high degree of validation and testing of the security posture of an enterprise, on a periodic basis. However, security testing of the systems and applications in the cloud environment is challenging due to the inherent shared service model. Therefore, REs will conduct vulnerability assessment, penetration testing and scenario-based security testing of their systems hosted with the CSPs on a periodic basis, at least once annually.