The digitalization of Vietnam’s economy has seen significant growth in the past decade and is expected to rise to USD 57 billion by 2025.

With the pandemic accelerating Vietnam’s digital economy, we are seeing a strong development of its digital infrastructure and cyber economy. This has compelled the government to step-up its efforts in promoting innovation in the technology space through various endeavours including the introduction of regulations as well as incentivization. While e-commerce, Fintech, and ICT are the key industries driving the growth of Vietnam’s digital growth, digital transformations are also rippling across most sectors with effects on cybersecurity, ICT infrastructure, cloud computing, Industry 4.0, e-government, digital skills, and national policies. In support of this, it is noted that the financial services industry has been designated to take a pioneering role in establishing an entirely digitalised, human-centred system through the State Bank of Vietnam’s (SBV) plan for digital transformation by 2025. Aggressive digital development strategies and regulatory requirements such as the Cybersecurity Law and information system security requirements from the Vietnamese government and financial regulators like SBV are critical in ensuring a smooth, secure and compliant adoption of digital technology such as cloud infrastructure.

General Cybersecurity Law:
Vietnam`s Cybersecurity Law of 2018 which has 43 articles covered in 7 chapters that sets out to regulate activities of protecting national security and ensuring social order and safety in cyberspace; and the responsibilities of agencies, organizations and individuals involved.
1.Law No. 24 of 2018

Overview:
The financial institutions (FIs) in Vietnam are undergoing significant digital transformations to stay competitive in the fast-changing business environment. It is noted that the financial services industry has been designated to take a pioneering role in establishing an entirely digitalised, human-centred system through the State Bank of Vietnam’s (SBV) plan for digital transformation by 2025The cloud works as a foundation for digitalization to empower FIs with strong capabilities in computing and analyzing, while letting FIs enjoy cloud-native security features. Alibaba Cloud offers a high degree of flexibility in designing and implementing the IT architecture on the cloud. It can meet the requirements of high security, resilience, recoverability and performance for the regulated entities in financial services industry with proper solution design. Alibaba Cloud is committed to facilitating customers in compliance with financial industry-specific regulatory requirements. Alibaba Cloud provides a full suite of offerings that can help with the initial due diligence and risk assessment, solution selection, implementation and transition, and post-implementation assurance. The full suite includes responses in every due diligence evaluation aspect, best practices in services and product configuration, automated and continuous security check tools, and third-party assurance over the design and operational effectiveness of internal controls.

Regulator:
The State Bank of Vietnam (SBV) is responsible for the state management of monetary and banking activities and foreign exchange in Vietnam. As part of its operations, the State Bank of Vietnam aims at ensuring safe and sound banking operations and the system of credit institutions and ensuring safety and efficiency of the national payment system.

Regulations/Guidelines to look at when using cloud computing services:
1.Circular No.09/2020/TT-NHNN prescribing Information System Security in Banking Operations is the key regulation that is applicable to financial institutions in Vietnam when adopting cloud. The Circular provides for minimum requirements for assurance of information system security in banking operations, including management of third party information technology services. Circular No. 09 also provisions specific guidance on the general principles of using third party services, the requirements for use of third party services, the criteria for selection of third parties meeting the requirements, conclusion of service contracts with a third party and the institution’s responsibilities for use of services provided by a third party. The articles in Circular No. 9 that are relevant to cloud adoption includes:
1. Article 33 : Requirements for use of third parties’ services
2. Article 34 : Criteria for selection of a third party providing cloud computing services
3. Article 35 : Conclusion of service contract with a third party
4. Article 36 : Institution’s responsibilities for use of services provided by a third party

What are the requirements for using Cloud Services by Third-Party Service Providers?
1. Conduct information technology risk assessment and operational risk minimization, which includes the following:
- Risk identification, analysis and estimation of level of harm, forecast of threat to information security;
- Ability to control business processes, ability to provide continuous service to customers, ability to fulfil obligations to provide information to state agencies;
- Roles and responsibilities of related parties in ensuring service quality are clearly defined;
- Measures to minimize risks, prevent and respond to problems and overcome them are thoroughly contemplated;
- Review and adjust the risk management policy (if any).

2. When cloud services are used, in addition to meeting the selection criteria applicable to all IT services, the customer must also:
- Classify operations and businesses planned for deployment on cloud computing based on the assessment of impacts of such operations and businesses on the operation of organizations;
- Develop a contingency plan for components of information systems classified Level 2 or higher. The backup plan must be tested, assessed, and ready to replace the activities and operations deployed on cloud computing;
- Develop a criteria for the selection of a third party provider;
- Review, supplement, and apply measures to ensure information security of organizations, limit access from cloud computing to information systems of organizations.

3. If a third party is hired to perform all administration-related activities of information systems classified at Level 2 or higher, the customer must organize the risk assessment in accordance with Item 1 above and submit the risk assessment report to the SBV's Information Technology Department. The criteria for the selection of third-party cloud computing service providers must include, at a minimum, the following:
- Service providers must be enterprises established and operating under the law;
- Service providers are equipped with IT infrastructure fitting to the service provided, which satisfies: (i) Current Vietnamese regulations; or (ii) Possesses valid international certificates on information security.

Will my data be accessible by unauthorized entities?
Alibaba Cloud, a cloud service provider, does not have access to customer’s information or data they may have uploaded to the Alibaba Cloud service in the course of their use of the cloud service without customer’s authorisation. Customers have full control over their information or data. Alibaba Cloud has put in place robust controls over physical and environmental security, network and systems security, access management, monitoring and audit to safeguard the cloud platform and prevent customer’s data from unauthorized access. Alibaba Cloud has also provided a multitude of security products and features to help the customers to protect data in the cloud, such as data at rest and in transit encryption, Anti-DDoS, Web Application Firewall, etc. Please refer to security whitepaper for more details.
Alibaba Cloud Security Whitepaper