Qatar Central Bank's 'Cloud Computing Regulations' - Contractual Considerations for Cloud Service Providers' Agreements

Cloud Computing and its associated outsourcing have become widespread in the business world in the past decade. The operational flexibility, reliability, and recovery speeds that Cloud Computing offers can be advantageous. However, it also introduces new risks, particularly in terms of security when data is stored externally. The "Cloud Computing Regulation" by Qatar Central Bank 'QCB', effective as of 15/04/2024, aims to address these risks by requiring Entities to conduct due diligence, preparation, and maintenance of Cloud Computing Arrangements. This regulation must be followed in conjunction with QCB's Sector-Specific Security Regulation for each Entity. Its goal is to establish standards for secure and well-structured usage of Cloud Computing Arrangements by Entities, defining the minimum requirements for implementing and maintaining necessary controls for selecting, using, and exiting Cloud Computing services. The regulation applies to all QCB regulated Entities considering Cloud Computing deployments, as well as those already utilizing Cloud Computing services. This article outlines the contractual considerations that must be addressed in the contracts with Cloud Service Providers.

It is imperative for an Entity to ensure that the rights and obligations of both the Entity and its Cloud Service Provider (CSP) are clearly outlined in a written agreement. This agreement can be established directly between the Entity and the CSP or through an intermediary who may also be involved in providing certain aspects of the Cloud Computing service. Furthermore, the written agreement must explicitly allow the Entity the option to terminate it if necessary.

When entering into a Material Arrangement, an Entity must ensure that the written agreement addresses various crucial issues. These issues include, but are not limited to, a comprehensive description of the outsourced function, enforceable and measurable Service Level Agreements (SLAs), and a defined governance framework to manage the contract on an ongoing basis. The SLAs should also specify the management information and other deliverables that will form the basis for this governance.

The agreement should clearly state the start and end dates, if applicable, along with the notice periods for both the CSP and the Entity. Additionally, it should outline the roles, relationships, obligations, and responsibilities of all parties involved in the contract. If the CSP is expected to have some level of control over IT Assets, the agreement must define the extent of this control.

Provisions regarding information security and the protection of personal data are of utmost importance. These provisions must demonstrate compliance with the requirements of the Law No. (13) of 2016 on Personal Data Privacy Protection, as well as the Sector-Specific Security Regulation issued by QCB.

Furthermore, the agreement should include a requirement for the CSP to grant the Entity, its competent authorities, and any other authorized individuals the right to access data and business premises, as well as the ability to conduct audits. It is crucial for an Entity to have the right to monitor, review, and audit Cloud Computing Arrangements. This can be done by the Entity's internal control functions, regulators, or individuals employed by them, including for the purpose of supervisory reviews by QCB.

An Entity is required to ensure that it is provided with relevant reports related to its security function and key functions by the CSP, such as reports produced by the internal audit function of the CSP.

An Entity should be provided with detailed information on cyber security measures by the CSP, including but not limited to: Malware protection, cryptographic controls, security testing, technical compliance, Key Performance Indicators (KPIs), and Key Risk Indicators (KRIs).

The agreement should clearly outline whether subcontracting is allowed by the CSP directly or through other parties, and if so, the types of subcontracting permitted under what conditions.

Provisions in the agreement should cover the management of incidents by the CSP, including the requirement for the CSP to promptly report any incidents that have impacted the operation of the Entity's contracted service.

The agreement should also address the generation of digital forensic evidence, specifying whether original copies of forensic evidence will be used or copies with a chain of custody. The prerequisites for the chain of custody should be communicated and documented in the contract.

Additionally, the agreement must address e-discovery costs and forensics requirements, including the associated costs and response times.

Prior to entering into any Material Arrangement(s) or making any significant modifications to an existing one, an Entity must obtain official approval from the QCB.

An Entity's contract with the CSP must include clauses that guarantee data confidentiality, availability, and integrity at all times, depending on the nature of the service provided by the CSP.

?