Guideline on Cloud Outsourcing For the Macau Insurance Sector

Definition of Cloud Outsourcing under the Supplementary Guideline

Cloud computing services encompass a broad spectrum of services that provide on-demand access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services), which can be rapidly provisioned and released. These services can be delivered through various service and deployment models with detailed descriptions outlined in the Guideline.

Scope of Application

The Supplementary Guideline applies to all insurers, reinsurers, and pension fund management companies incorporated in Macao, as well as the Macao branches of foreign institutions ("Authorised Institutions").

It applies to all material cloud arrangements, including, but not limited to, the service models and deployment models mentioned in the Supplementary Guideline that involve material business activities / functions. This includes situations where the Authorised Institutions enter into outsourcing arrangements either directly with a Cloud Service Provider ("CSP") offering relevant material outsourcing services or with a service provider that relies significantly upon a CSP for the delivery of such services. Examples of material cloud outsourcing arrangements are provided in Appendix 1 of the Supplementary Guideline.

Whenever cloud services are arranged by the Authorised Institution's head office and extended to the Authorised Institution (even without a direct CSP-Authorised institution contract), the arrangement is still considered cloud outsourcing. Under such circumstances, Authorised Institutions must:

• Document governance structures and oversight mechanisms set by the head office;
• Obtain assurance or attestations regularly from the head office on compliance with key risk management requirements;
• Implement local monitoring and oversight procedures for cloud services affecting their operations.

Even for non-material cloud outsourcing arrangements, Authorized Institutions should appropriately identify, address and monitor potential risks by taking into consideration the nature, scale, and complexity involved.

Due Diligence Requirements

Authorised Institutions should perform thorough due diligence of a CSP before and throughout cloud arrangements, proportionate to the arrangement's complexity and materiality. Minimum areas of due diligence shall include the CSP´s:

• Financial stability and viability
• Reputation and relevant experience
• Technical capability, robustness, and resilience of cloud infrastructure
• Information security and data protection measures
• Business continuity and disaster recovery plans
• Regulatory compliance and adherence to industry standards
• Contractual terms including service level agreements, liability, and termination rights

Additionally, cloud-specific risks such as multi-tenancy risks, concentration risks, and supply chain risks must also be assessed during due diligence. For cloud operations spanning multiple geographic regions, Authorised Institutions should also perform due diligence to address cross-border jurisdictional risks.

Regulatory Consultation

Authorised Institutions are required to consult and discuss their cloud outsourcing plans with AMCM before entering any material cloud arrangements.

Governance Framework

Authorised Institutions must establish a governance framework ("Framework") for cloud outsourcing aligned with their overall business and IT strategies, policies, and internal processes, or adapt existing outsourcing policies to address specific cloud risks. Moreover, responsibilities and authorities for managing cloud arrangements must be clearly defined, documented, and communicated to the board, senior management, and relevant stakeholders. The board and senior management are responsible for reviewing and approving this Framework, which must minimally address the following:

• Planning Stage including Business requirements, risk assessments, due diligence, and approval processes
• Roles and Responsibilities of responsible personnel for documentation, management and monitoring
• Ongoing Monitoring and assessment procedures to outsourcing arrangements and CSPs
• Data Location and Transfer requirements
• Cloud Subscription and Billing Management
• Security Controls
• Audit / Review Arrangements
• Business Continuity Management
• Exit Strategy

Regular Risk Assessment and Ongoing Monitor Mechanism

Authorised Institutions should conduct regular and comprehensive risk assessments and monitoring mechanism covering CSP’s regulatory compliance, security controls, and data centre operations. Assessments must address potential operational, security, resilience, concentration, and supply-chain risks and the following elements should be reviewed regularly:

Adequacy of Contingency Plan (data portability, interoperability)
Feasibility of multi-cloud strategies
Existence of exit strategies to ensure smooth transitions

Legal, Regulatory, and Data Handling:

Authorized Institutions should clearly understand relevant legal and regulatory frameworks, contractual obligations and data location requirements before cloud migration. Data processing and storage jurisdictions should be agreed with CSPs, and Authorized Institutions should retain contractual rights to reject or terminate arrangements if unsuitable changes to data locations occur.

Requirements for Cloud Outsourcing Arrangement Negotiation and Agreements

Authorized Institutions should clearly agree with CSPs on billing models, usage monitoring, reporting requirements, and establish safeguards to prevent unexpected service cessation due to exceeded quotas.

In addition to the requirements set forth in the Outsourcing Guideline, cloud outsourcing agreements with CSPs should explicitly define:

• Data centre locations and approval procedures for changes
• CSP obligations for incident response, investigation, recovery assistance, and support for exit processes

Post Notification to AMCM

Material cloud outsourcing agreements and supporting documentation must be submitted to AMCM within 30 days, together with the form designated for filing purpose.

Audits or Certifications requirements

Regular external or internal audits of cloud arrangements are required. Third-party certifications or reports from independent, reputable organizations may be accepted provided that the certifications or reports are:

• conducted by skilled, qualified, independent parties as listed in appendix 3 of the Supplementary Guideline.
• Cover relevant CSP systems and operations.
• up-to-date, applicable, and address key risk areas.

Cloud Security Control

Authorised Institutions must implement robust security controls to mitigate risks associated with cloud arrangements. Responsibility for managing these controls may vary depending on the cloud service model adopted. In any case, Authorised Institutions remain ultimately accountable for safeguarding their information and must therefore proactively identify and apply the appropriate security controls relevant to their cloud arrangements.

Areas of security control are included but not limited as follows:

• Cloud´s Architectural Design
• Virtualisation and Containerisation
• Data Security and Encryption
• Application Security
• Identity and Access Management
• Change and Configuration Management
• Event and Security Incident Management
• Business Continuity Management

Date of Application

Authorised Institutions must fully comply with the Supplementary Guideline within 12 months of its issuance, i.e., by 1 May 2026. Existing Cloud Outsourcing Arrangements entered into before the effective date will be grandfathered, provided they are reviewed for compliance with the key principles of the Supplementary Guideline. If the review of material operational outsourcing arrangements is not completed within the stipulated period, Authorized Institutions must notify AMCM, outlining the planned measures or exit strategy and may request an extension to complete the revision.

It is important to note that, when outsourcing to a cloud service provider, Authorized Institutions must comply with the requirements outlined in this Supplementary Guideline, without prejudicing any other requirements set forth in the Outsourcing Guideline.