HKMA sets out supervisory expectations relating to adoption of cloud computing The HKMA has issued a circular to provide guidance to authorised institutions (AIs) on its supervisory expectations relating to the adoption of cloud computing. This is in light of the growing trend of AIs adopting cloud computing via third-party cloud service providers (CSPs). The HKMA's supervisory expectations are developed with reference to the results of a round of thematic examinations undertaken from 2021 to 2022. The principles serve to complement (and should be read in conjunction with) the relevant existing HKMA guidance, including supervisory policy manual module SA-2 (Outsourcing), module OR-2 (Operational Resilience) and module TM-G-1 (General Principles for Technology Risk Management). AIs should apply the guidance in a proportionate manner and in a way that is commensurate with the criticality of their cloud adoption and potential impact on their risk profiles. The key principles include: Governance framework – AIs should adopt an effective governance framework overseen by the board of directors and senior management and a proper due diligence process to assess the capabilities and suitability of a CSP before and regularly during engagement.

Ongoing risk management and controls – AIs should understand their roles and responsibilities under the agreement with the CSP, develop comprehensive risk management procedures, ensure effective controls in relation to information security and customer data confidentiality, and develop a viable and effective contingency plan to cope with disruptions.

Protection of access and other legal rights – There should be suitable arrangements to guarantee AIs' audit rights and other rights and risk management needs, as well as the HKMA's supervisory access to information stored in the cloud.

Risk management capabilities – AIs should equip staff with the knowledge and skills required to securely use and manage risks associated with cloud computing. [31 Aug 2022]

