3.24A Cloud Computing arrangement is considered material when a disruption in service or breach of security or confidentiality of systems and/or Data may have the potential to materially impact:
a.The Institution’s business operations;
b.The Institution’s ability to manage risks;
c.The Institution’s ability to comply with applicable laws and regulations; or
d.The confidentiality or integrity of an Institution’s or Customer’s Personal Data (i.e. if the arrangement may lead to unauthorized access, disclosure, loss or theft of Personal Data).
3.25Institutions should conduct an assessment to determine the materiality and the associated risks of a Cloud Computing arrangement. When conducting such an assessment, Institutions should consider:
a.The criticality and inherent risk profile of the Cloud Computing arrangement i.e. activities that are critical to the business continuity/viability of the Institution and its obligations to Customers;
b.The impact and likelihood of a service failure, security breach or other event on an Institution’s business operations or reputation;
c.The impact and likelihood of a confidentiality breach, loss or theft of Customer Data or breach of Data integrity of the Institution and its Customers; and
d.The cost and other resources to support a Cloud Computing arrangement.
3.26Institutions should engage the relevant Supervisory Authority of any material Cloud Computing plans in order to address any concerns and expectations early in the design process before implementing any material Cloud Computing arrangement. This approach must comply with existing outsourcing requirements set by the relevant Supervisory Authority, including, where appropriate, the need to seek approval for material Cloud Computing plans.