New guidance from official regulators should be music to the ears of anyone involved in compliance. Clarification, reference points and approved examples make the business of compliance that much more straightforward and are generally welcomed by compliance experts. In that spirit, it was with the best intentions – to clear the pathway to cloud adoption for financial services companies – that the European Banking Authority issued the guidance with which the financial sector must comply by 1 July this year.
Still, compliance experts on both sides of the cloud service provider (CSP)/customer divide might be forgiven for scratching their heads when it comes to interpreting the new directions in a real-world scenario.
The EBA has opted for a principles-based, technology neutral approach to the guidance. In some ways this makes sense – technology is evolving at an astonishing rate and being too prescriptive could risk limiting the ability to make the most of the next exciting innovation. However, I feel that financial services companies require some more prescriptive standards, certifications and best-practice examples to provide greater clarity and help them unlock the benefits of cloud computing. As a cloud compliance specialist, here is my take on some of the key elements of the EBA guidance and how financial companies and CSPs will need to work together to comply with its principles.
Third party oversight offers verifiable, auditable trust
The guidance requires that financial organisations seek full understanding of the risks associated with their cloud outsourcing operations and the level of data and system security that CSPs will deliver. Therefore, the initial priority for a financial organisation is to establish that its cloud service provider – or prospective provider – has identified and is operating their risk, security and personal information management systems to a standard that will satisfy the guidance. This is not a small hurdle: the guidance does not specify which of the available standards is acceptable so there is a degree of subjectivity involved in deciding what constitutes a sufficiently rigorous approach. This will likely lead to a longer due diligence and discovery phase. Organisations should look for CSPs that are ISO 27001-certified for information security management as a minimum, but for cloud-specific aspects of security, the Cloud Security Alliance (CSA) Star certification programme provides auditable ongoing assurance that the provider is meeting and sustaining the highest standards.
When it comes to personal information security the forthcoming EU General Data Protection Regulation (GDPR) has prompted some CSPs who are leading the market in cloud compliance to certify to BS 10012:2017, which ensures they are operating best practice systems for data protection under the GDPR and should meet the level of assurance required by the guidance.
Third party oversight and validation from certifications such as CSA Star and BS10012:2017 plus transparency into the policies and processes of the cloud provider allow financial institutions deep insight into the operations and procedures of their cloud partners. The key mantra here should be verifiable trust and transparency.
It’s important to note, also, that standards continue to evolve alongside the environment they relate to and CSPs have to work continuously to achieve ongoing certification. Including references to industry standards in the EBA’s guidelines like the ones I’ve mentioned above will provide useful signposts towards the route that financial organisations should take to achieve compliance.
Best practice SLA and monitoring relationships
The ability to continuously monitor the security and risk of cloud service provision is a key axiom of the guidance and will be critical to the success and compliance of the cloud outsourcing relationship. To achieve this it’s vital that the CSP and the financial organisation’s risk and monitoring programmes are aligned. If you have to decipher and translate risk and monitoring programmes between entities, confusion and disconnects will arise. Again, standards offer a solution: if both entities are aligned to ISO 27001 there is a common approach on which to build an effective monitoring strategy.
A best-practice service level agreement and monitoring relationship should be instigated at executive level within both organisations, reflecting its importance to both parties. A strong and transparent working partnership between the risk and compliance teams on both sides should underpin the regular cycle of audit, reporting and assurance. Look for a cloud service provider that provides visibility into your cloud resources and the associated security settings and compliance postures as well as a straight-forward means of getting the reporting you need for auditing purposes.
Chain outsourcing: Overcoming the financial sector’s Achilles heel
Outsourcing of any kind has historically been a major challenge and strictly regulated in the financial sector. In recognition of the flexible and collaborative nature of cloud service providers, the new guidance sets out the terms and processes under which chain outsourcing – a cloud provider outsourcing an element of its provision to a third party – is acceptable. As with most aspects of the guidance, strong emphasis is placed on ongoing risk management and transparency between the CSP and financial organisation. CSPs must agree to notify the financial institution should they subcontract an element of their service to another provider and must ensure that the subcontracted company meets the same standards set out in the original agreement between the CSP and its customer. Consent from the financial institution is not required, however, as this is deemed impractical. It is the responsibility of the financial organisation to determine whether the third party outsourced arrangement now constitutes unacceptable risk.
Throughout all aspects of the EBA guidelines it is abundantly clear that the relationship between financial organisations and their CSPs needs to be extremely close and transparent, and conducted at a senior level. Verifiable trust through certification is the linchpin of the whole relationship and the partnership will be dysfunctional (and potentially inviable) without this cornerstone in place.
In future guidance, I would like to see the EBA put more definition around the exact standards and best practices it expects to see in financial sector cloud outsourcing projects, but in their absence I hope that financial companies will discover that CSPs themselves can offer the consultative expertise needed to help them unlock the many benefits of the cloud.