As the pandemic has accelerated so many businesses into digitalisation, Malaysia has also shifted rapidly towards digitalisation and has started the process of integrating digital technologies into all areas of its economy, especially for the banking and finance industry. The Malaysian financial services sector is undergoing rapid transformation by leveraging on the transformative power of cloud computing and data centre.
As we move towards digitalisation, we are also more vulnerable to attacks by scammers and hackers. It is reported that cyber-attacks cases spiked during the lockdown period in Malaysia and we can also see similar news that were reported globally. Hackers have been targeting every industry as organised hackers no longer pick their targets now and will attack anyone or any organisation with vulnerabilities in their IP addresses to get our personal information. Even at the firm, efforts are made to enhance our firewall and the systems in view of the working from home environment.
In this article, we will briefly explain on the concept of data centre, cloud computing and also the policy document issued by the Central Bank of Malaysia (Bank Negara Malaysia (“BNM”)) to manage cyber-risk exposure. Further, we will discuss about the contractual obligations involved in negotiating data centre and cloud computing contracts.
Many companies rely on data centre and cloud computing to cater for their digital products that emphasise on convenience and speed. So, what is data centre and cloud computing and what are their differences?
The Concept: Data Centre vs. Cloud Computing
A data centre is a physical facility that organisations use to house their critical applications and data whereas cloud computing refers to data storage in a network of internet-based servers. The main difference between cloud computing and data centre is where the data is stored. A data centre houses servers and/or data storage in on-premise hardware while the cloud refers to data storage via off-premise computing. In a way, if an organisation uses data centre to store its data, the storage is technically on cloud as well as it is not stored in its own premises.
A data centre will usually consist of a private data centre space, IT office area, offsite tape storage services and shared business work area. Each of the area in the private data centre is briefly described below:
- Data centre space – it is a computer room with a raised floor area and the customer will install the necessary equipment (hardware and software) in the computer room.
- IT office area – it is the office work area space which is normally a smaller area as compared to the data centre space. This office area is normally dedicated for use by the customer.
- Shared work business area – this is usually the equipment and facility provided by data centre provider to its customer in the event of disaster declaration by the customer. Disaster is when there is unplanned interruption or inaccessible to work area facility beyond customer’s control for more than 24 hours consecutively.
Customer pays a subscription fee to the data centre providers for the use of the private data centre. The subscription fee is normally a monthly fee in accordance with a schedule in consideration of the facilities provided by the data centre provider. However, there will be a separate charge for the use of the shared work business area.
Apart from the data centre space, data centre providers will not provide any equipment, equipment cabling or devices, maintenance or installation, relocation or reinstallation of customers’ equipment. As such, when negotiating the data centre agreements, it is important for the customer to review the performance standards in the agreement and identify the customers’ computer equipment to be installed in a separate appendix. Provisions on services relating to data centre equipment, heating, ventilation and infrastructure should also be included.
Risk Management in Technology (“RMiT”)
Since the banking and finance industry is now heavily depending and relying on technology, BNM has taken the lead and issued a policy document on RMiT to put in place the framework to minimise operational disruptions and maintain confidence in the system from cyber threats which is applicable to financial institutions including licensed banks. The RMiT policy came into effect on 1 January 2020 and covers everything in relation to the use of technology by financial institutions such as cloud services, data centre operations and security of digital services.
In complying with the RMiT policy, a financial institution shall have regard to the size and complexity of its operations. Further, all financial institutions shall observe minimum prescribed standards in the policy document to prevent the exploitation of weak links in interconnected networks and systems that may cause detriment to other financial institutions and the wider financial system.[1] In this regard, the RMiT policy has placed the responsibility on the board of directors of the financial institutions to establish and approve the technology risk appetite which is aligned with the financial institution’s risk appetite statement.[2]
The board shall also be responsible to oversee the effective implementation of a sound and robust Technology Risk Management Framework (“TRMF”) and Cyber Resilience Framework (“CRF”). The TRMF is to safeguard information infrastructure, systems and data of the financial institutions whereas the CRF is related to cyber resilience of the financial institutions.
According to the RMiT policy, a financial institution shall specify the resilience and availability of its data centres which are aligned with its business needs. The network infrastructure must be designed to be resilient, secure and scalable. A financial institution shall ensure that potential data centre failures or disruptions must not significantly degrade the delivery of its financial services or impede its internal operations.[3]
In addition, a financial institution must ensure its capacity needs are well-planned and managed with due regard to business growth plans. This includes ensuring adequate system storage, central processing unit (CPU) power, memory and network bandwidth in its data centres.[4]
Negotiating Data Centre Agreements
First and foremost, it is vital to clarify the legal relationship between data centre provider and customer. The relationship between both parties is of independent contractors. In majority of cases, the parties will enter into a lease agreement which may include elements of a service agreement.
Due to the complexity in relocating data centre, most tenure for the lease of data centre is for a long term period. Hence, it is important for the parties to negotiate on the number of renewal periods. It is also crucial to negotiate with the data centre provider on the minimum scheduled outage where subscription fees will be varied and/or waived. This shall be taken into account by a company when negotiating data centre agreements to ensure consistency with the RMiT policy. In addition, for financial institutions in particular, it shall ensure that the agreement covers the right to audit by relevant regulator where necessary.
The parties to a data centre agreement should consider including service levels and reasonable support provisions in the agreement and it is advisable for the parties to negotiate on performance management for the private data centre space.
Finally, as cyber-attacks become the “new normal” and while data centres are data hubs which are susceptible to cyber-attacks, it is imperative that financial institutions adhere to the RMiT policy and implement the TRMF and CRF as mentioned above to strengthen their vigilance and diligence in the area of cyber risk management and explore new approaches to build greater cyber resilience within their organisations. To fight against the ever-evolving cyber threats, all financial institutions shall periodically review their TRMF and CRF, at least once every three years and shall ensure that their TRMF and CRF remain relevant on an ongoing basis.[5]
For more information and legal assistance on contracts in relation to data centres, please do not hesitate to contact your respective lawyers or partners at the firm. Otherwise, give us a call at +603-2092 4822 or email us at ridza@ridzalaw.com.my.
Mohamed Ridza Abdullah
Mohamed Ridza & Co, Kuala Lumpur, Malaysia
Author: Shareen Ng En Yi, Associate
[1] Part A, para 1.3 of the RMiT policy.
[2] Part B, para 8.1 of the RMiT policy.
[3] Part B, para 10.21 of the RMiT policy.
[4] Part B, para 10.26 of the RMiT policy.
[5] Part B, para 8.3 of the RMiT policy.
