SECTOR SPOTLIGHTFinancial Services in Asia-Pacific (APAC)Managing Software Risk

CONTENTSResearch 4

Regulation and Compliance 4

Recommendations 6

Recommended Solutions 6

Consider Your Risk Level 7

Cloud Research 8

Cloud Application Risk 8

Cloud Regulation 9

IaaS Partners 10

Contact Us 11

About NCC Group 12

Financial Services: Managing Software Risk 2 All Rights Reserved. © NCC Group 2016

Financial Services: Managing Software Risk 3All Rights Reserved. © NCC Group 2016

All Rights Reserved. © NCC Group 2016

RESEARCH

Recent reports suggest that IT spending within Southeast Asia will reach $62 billion by 2018.1 The Southeast Asia region comprises 11 countries, of these, Singapore, Malaysia, Indonesia and Thailand spend the most on IT and account for roughly 80 percent of IT spend in the region. This projection is based on the current and estimated investments in the region, particularly through verticals such as communications, banking, security and government. Investments are being made in both third party software as well as systems developed in-house.

There are around 700 financial institutions operating in Singapore providing a healthy market opportunity for technology providers, especially as Singapore’s banking system prepares itself for digitalization.1

Additionally, in line with this increased commitment to capital, it is critical to consider how organisations within the financial services sector will protect their investment to ensure a confident, consistent and robust approach to risk mitigation.

In this paper, we will provide you with best practice advice to ensure the risk exposure to your organisation is effectively managed when using third party software or in-house developed applications.

Regulation and ComplianceThe Monetary Authority of Singapore (MAS)2 is taking steps to create a Smart Financial Centre, in line with the country’s Smart Nation plan. With the rising wave of new financial technology (FinTech), the MAS plans to adopt new regulations and initiatives to grow a conducive ecosystem for innovation.

Regulation guidelines that are currently in place, such as the MAS Guidelines on Outsourcing2, highlight the responsibility that an organisation has to effectively manage the potential risks arising from outsourcing to a third party service provider. Organisations must ensure that the financial services sector and its customers are not exposed to the potential risk of software provider failure.

The Guidelines on Outsourcing issued by the MAS highlights requirements such as:

• “An institution should ensure that its business continuity is not compromised by any outsourcing arrangement, in particular, the operation of its critical systems as stipulated under the Technology Risk Management Notice.”

• “For assurance on the functionality and effectiveness of its business continuity plan, an institution should design and carry out regular, complete and meaningful testing of its plans.”

• “Ensure that in adverse conditions, all documents, records of transactions and information given to the service provider, and assets of the institution, can be either removed from the possession of the service provider in order to continue its business operations.”

As part of these regulatory requirements escrow has become best practice for many financial institutions, along with documenting and verifying build processes.

Financial Services: Managing Software Risk 4 All Rights Reserved. © NCC Group 2016

All Rights Reserved. © NCC Group 2016 Financial Services: Managing Software Risk 4

RECOMMENDATIONS

The financial services sector is seeing an increase in dependency on third party software and systems developed in-house. It is now critical that these organisations develop a robust risk assessment process concerning the use of such applications.

Organisations not only need to comply with regulations and internal requirements, but also to protect the investment made in current and future applications.

To establish a consistent and robust approach to support compliance with regulation and best practice, NCC Group recommends:

• Bringing the issue of risk to a board and strategic level to raise awareness of managing third party software risk internally.

• Using recommended risk assessment tools or methodologies from independent risk mitigation specialists in order to review the current software application landscape and assess the level of risk you could be exposed to.

• Developing an on-boarding process for the use of any new third party software providers with escrow agreements and an entry level of testing as standard.

• Establishing a secure library with all tested and documented details of business critical applications, ensuring that all information regarding the application environment, resource and expertise requirements are recorded.

• Testing the rebuild or data extraction of any high dependency applications ensuring that they form part of any contingency disaster recovery plans.

• Implementing a consistent approach across the organisation with a documented process to assess the level of risk posed and for the implementation of escrow and testing with a recommended escrow provider.

• Reviewing and testing this approach on a regular, consistent basis.

Recommended SolutionsNCC Group provides escrow, verification and SaaS continuity services that directly address the concerns and risks associated with the use of third party software applications.

These services provide visible assurance and evidence that should third party providers become unavailable or unable to maintain their contractual arrangement, the solution can continue to operate while contingency plans are enacted.

Escrow agreements have now become a vital part of internal processes and contingency planning for North America and European financial services organisations when using third party software providers. Through providing end users with a level of assurance, they are then able to access the source code held behind their business critical applications should the need arise.

We have seen in this paper that regulatory bodies have recommended the need to test and document the development and build of software and applications. This is provided through verification testing services which are led by an independent verification consultant who will work with both the financial services end users and the software providers to implement testing of the software to a level that is appropriate to meet the needs of the financial services sector.

For SaaS applications, NCC Group provides continuity solutions that enable financial services organisations to employ effective risk mitigation procedures when using or considering applications and systems that are hosted in cloud environments.

Services such as these provide an independent audit of your third party applications, systems and providers. Furthermore these services give financial services organisations assurance that their approach to third party software applications and systems development not only complies with regulation, but also mitigates key risks that are associated with the use of third party providers.

Financial Services: Managing Software Risk 6 All Rights Reserved. © NCC Group 2016

“An institution should ensure that its business

continuity is not compromised by any

outsourcing arrangement, in particular, of the

operation of its critical systems, as stipulated

under the Technology Risk Management Notice.”2

Consider Your Risk LevelThe level of risk that financial services organisations are exposed to through dependency on third party supplied software applications will depend on a number of factors.

To ascertain its level of exposure, an organisation must implement a robust risk assessment model taking into account many issues including:

• Solvency of third party critical software and solution providers, with consideration given to regional regulations and IT questionnaires.

• Financial or reputational loss associated with the discontinuation of critical solutions and systems, resulting in compromised services.

• Whether sufficient protection is provided over the intellectual property rights to access and use source code, for those applications identified as critical to business operations.

• Whether alternatives for critical systems and applications exist or have been identified and if so, whether application and system risk is mitigated for any transition period to any identified products.

• Knowledge retention with regards to the development of in-house applications and systems, ensuring application build and deployment processes are documented to the required standard in order to safeguard against resource loss.

The output of a clearly defined risk assessment approach will determine the need for plans to be put in place to deal with the failure of a third party software provider.

You should consider how well documented your build processes are. Do you have validated and verified source code? Do you have the ability to extract your data if things go wrong?

Financial Services: Managing Software Risk 7 All Rights Reserved. © NCC Group 2016 Financial Services: Managing Software Risk 6

Cloud ResearchResults taken from a 2016 study3 in the APAC region show that “Singapore is the second most cloud ready country in Asia-Pacific”. “Today the attitudes toward implementing cloud and the related internal policies among financial services institutions in Asia Pacific is clearly maturing as it is increasingly seen as an enabler of the organization’s journey to digital transformation. But it is important to realize that a cloud strategy can only be successful if there is a clear understanding of cloud-related regulations”.4

As part of this paper, NCC Group conducted research comparing five North American and Europe (NAE) financial institutions against five APAC-based financial institutions. Based on the research conducted we have identified that APAC-based financial services have a considerably lower number of escrow and verification agreements when compared to NAE institutions. This highlights that there is likely to be critical software applications that would not be able to recover in the situation of supplier service failure.

Cloud Application RiskAlthough SaaS solutions are becoming the preferred choice within the industry, it is important to consider any issues that may arise that could prevent long term access to SaaS applications and data.

The following risks should be considered when using SaaS applications:

• Risk of SaaS provider insolvency and continuation of service should this occur.

• Whether there is sufficient documentation of credentials to access critical systems and portals, to allow for continuation of service with Infrastructure as a Service (IaaS) providers.

• If sufficient information around topology, network configuration, administrative processes and procedures have been documented independently to a reasonable standard.

Included in NCC Group’s suite of products are SaaS specific verification services, which give financial service organisations the ability to mitigate risk and ensure business continuity with regards to their current and future SaaS applications.

Rank Country Data Center Risk

Cyber Security

Privacy Government Regulatory Environment & Usage

Intellectual Property Protection

1 Hong Kong 8.0 6.2 9.5 7.2 8.6

2 Singapore 7.8 6.8 9.0 8.6 8.9

3 New Zealand 6.8 7.4 9.0 8.1 8.7

4 Australia 6.3 7.6 9.5 7.4 8.3

5 Japan 5.9 7.1 8.0 7.8 8.7

Cloud Readiness Scale

THE CLOUD

Financial Services: Managing Software Risk 8 All Rights Reserved. © NCC Group 2016

Financial Services: Managing Software Risk 8

“The risks of downtime should

be minimised through effective and appropriate planning and procedures

and a high degree of system resilience”.5

Cloud RegulationAn overview of cloud-specific regulation within the APAC region conducted by the Asia Cloud Computing Association (ACCA) highlighted that “Cloud Services must be reliable. As a minimum, all of the Regulators require that the Financial Services Institution (FSI) has effective business continuity plans with appropriate service availability, recovery and resumption objectives and with regularly tested and updated procedures and systems in place to meet those objectives. The risks of downtime should be minimised through effective and appropriate planning and procedures and a high degree of system resilience.”

Hong Kong and Singapore have long been the financial hubs of the APAC region, having a strong regulatory environment and a highly developed financial infrastructure there is no doubt as to why they are the jurisdictions of choice for financial institutions operating in the region. The regulations and policies of these financial hubs are similarly aligned to those in Europe thus promoting ‘international best practice’ in business assurance.

Using Singapore as an example it was highlighted that “Singapore has the most detailed set of business continuity requirements which the FSI must follow and ensure that the CSP complies with. The Singapore Regulations go into detail about what the targets should be and also include reporting requirements if the target is breached.”5

As the use and dependency on third party applications is globalised, not only home regulatory requirements must be considered, but those of connected economies and their associated international standards and guidelines.

Financial Services: Managing Software Risk 9 All Rights Reserved. © NCC Group 2016

IAAS PARTNERS

AMI’s

SaaS Provider AWS Environment

NCC Group AWS Environment

Cloud formation templates,

configurations etc.

NCC Group vault

NCC Group technology partnersInfrastructure-as-a-Service (IaaS) provider’s play an important part in a large percentage of cloud solutions. NCC Group has recognised the importance of not only being able to provide our solutions on these platforms, but also forging key strategic partnerships with a variety of provider’s within this space such as Amazon Web Service (AWS) and Microsoft Azure.

NCC Group is a registered technology partner with AWS, an influential thought leader in cloud computing. As with all of NCC Group’s strategic technology partnerships, this collaboration allows us to provide both SaaS customers and SaaS providers with technical assurance for the ever increasing number of systems which use the large suite of services IaaS providers like AWS has to offer.

One of the benefits of NCC Group’s technology partnerships is the simplification of the depositing process for both hosted applications and SaaS providers. For example, NCC Group’s AWS account acts as the vault for the storage of any Amazon Machine Images (AMI’s) associated with the application to be deposited.

When a deposit of materials is to be made, NCC Group will ask the SaaS provider to share the AMI’s within their hosted AWS environment to the NCC Group AWS account. Any materials that can be exported from AWS by the SaaS provider - such as the cloud formation templates and configuration files - will be stored on a physical form of media. At the point where an escrow release is triggered, NCC Group will grant the customer access to all of the resources stored within AWS, and any materials stored on physical media.

Financial Services: Managing Software Risk 10 All Rights Reserved. © NCC Group 2016

Andy RamsbottomAccount Director

m: +44 (0) 770 350 1169

e: andy.ramsbottom@nccgroup.trust

Jamie MacKayTechnical Account Manager

m: +44 (0) 734 205 4743

e: jamie.mackay@nccgroup.trust

References

1. http://www.gartner.com/newsroom/id/3012117 2. http://www.mas.gov.sg/~/media/MAS/Regulations%20and%20Financial%20Stability/Regulatory%20and%20Supervisory%20

Framework/Risk%20Management/Outsourcing20Guidelines.pdf 3. http://www.computerweekly.com/news/450291453/Singapore-is-second-most-cloud-ready-country-in-Asia-Pacific 4. https://news.microsoft.com/apac/2016/06/07/cloud-is-critical-to-digital-transformation-in-the-asia-pacific-financial-sector-but-

lack-of-regulatory-understanding-a-key-hurdle/#sm.001j2ton1xm8ef110jo2l0f3rtu6y 5. http://www.asiacloudcomputing.org/images/research/ACCA_Report_-_Web.pdf

CONTACT US

Financial Services: Managing Software Risk 11 All Rights Reserved. © NCC Group 2016 Financial Services: Managing Software Risk 10

www.nccgroup.trust

SSFSAPAC:V2/09:16

About NCC Group

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape.

With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face.

We are passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security.

About Escrow & Verification

With over 30 years’ experience we are one of the world’s leading software escrow providers protecting business critical software, data and information through escrow, verification testing and SaaS continuity services.

Over 15,000 organisations worldwide benefit from our ability to offer our services under a variety of international laws and the assurance that comes from our global network of secure storage vaults across the UK, North America and Europe. Our expertise, offering and global scale are backed up by in-house technical and legal teams, guaranteeing an independent and quality service.

The principle behind our escrow offering is clear – to protect all parties involved in the development, supply and use of business critical software applications, information and technology.

All Rights Reserved. © NCC Group 2016