Hong Kong Regulator Imposes New Conditions to Regulate Outsourcing Arrangements for Cloud Storage

Summary

The Securities and Futures Commission of Hong Kong (SFC) issued new guidance to regulate the use of external electronic data storage providers (EDSPs¹) by licensed firms that intend to keep (or have previously kept) records or documents required to be maintained pursuant to the statutory recordkeeping rules and anti-money-laundering regime (Regulatory Records) in an online environment. The new guidance² and related FAQs released October 31, 2019, while extensive and significant, confirm the Hong Kong regulator’s willingness to provide firms with a degree of flexibility in complying with the statutory recordkeeping obligations and clarify the baseline obligations when entering into outsourcing arrangements for the storage of records in electronic format with third-party vendors.

Whom does this affect?

The new requirements are relevant to firms that 

• already use EDSPs “exclusively” for storage of records (without prior SFC approval)
  or
• plan to use EDSPs in any capacity 

but does not apply to firms that keep

• original records at premises approved by the SFC or
• identical electronic records at both its approved premises and the EDSP (whether located in Hong Kong or elsewhere)
  

As a general principle, firms need to obtain the SFC’s approval before using any premises for keeping regulatory records. However, it was acceptable for firms to keep trade- or non-trade-related records in electronic form so long as they could be readily convertible into written form. As long as firms took necessary measures to safeguard against damage, falsification, tampering or destruction of such records, prior approval from the SFC of outsourcing arrangements with third-party vendors was not previously required (albeit firms were required to notify the SFC of their outsourcing practices). This position has now changed. Where a firm intends to keep regulatory records exclusively with EDSP(s), then the data center(s) used by EDSP(s) at which regulatory records are kept (whether located in Hong Kong or elsewhere) must be approved by the SFC.

1) Key requirements where records are “exclusively” kept with EDSPs

2) Baseline obligations when using EDSPs (exclusively or nonexclusively)

Regardless of whether firms plan to keep records exclusively with EDSPs, the SFC also outlined the minimum key controls firms are expected to implement when entering into outsourcing arrangements to safeguard the handling of client data and information:

• Cybersecurity: Firms should implement controls (and appropriate security protocols) to detect and prevent unauthorized access, insertion, alteration or deletion of data by third parties or hackers (especially if using public cloud facilities).
• Due diligence: Assessments should be undertaken initially and on an ongoing basis commensurate with the criticality, materiality, scale and scope of the service provided by each vendor (including review of subcontracting arrangements), especially with regard to cyber risk management, information security, disaster recovery and business continuity processes.
• Data classification policy: Firms should implement a comprehensive information security policy to prevent any unauthorized disclosure, which should include an appropriate data classification framework to protect confidential information and identify corresponding control measures (e.g., by encryption).
• Contingency plans: Firms should have a legally binding service agreement with vendors, with embedded termination rights that avoid material disruption to its regulated business operations, together with appropriate covenants to ensure the orderly transition or migration of data to new providers in emergency situations (such as the insolvency of the vendor).
• Concentration risks: Firms should consider whether it is appropriate to use more than one vendor or establish alternative arrangements to ensure operational resilience and avoid concentration risk.

What happens next?

All firms should review and conduct a gap analysis of their current (or proposed) outsourcing arrangements. Firms that exclusively keep records in an online environment with third-party vendors should seek SFC approval (without delay). Firms that may have already obtained SFC approval of their outsourcing arrangements before October 31 are still required to comply with the new requirements and must notify the SFC of their designated MICs with oversight of the outsourcing arrangements (without delay) and submit the relevant confirmation, notices or undertakings (as the case may be) no later than June 30, 2020 (i.e., subject to an eight-month grace period).

If you would like to discuss the approval requirements or plan to adopt cloud storage solutions and would like explore how we may able to assist you, please do not hesitate to contact us.

¹EDSPs are broadly defined to include external providers of (a) public and private cloud services; (b) servers or devices for data storage at conventional data centers; (c) other forms of virtual storage of electron information; and (d) technology services whereby (i) information is generated in the course of using the services, and the information is stored at such technology service providers or other data storage providers, and (ii) the information generated and stored can be retrieved by such technology service providers.

²Circular to Licensed Corporations – Use of external electronic data storage (October 31, 2019).