Ambreesh Khanna, Group Vice President and General Manager of Oracle Financial Services
Financial services organizations find themselves in an IT quandary. Tech innovation has long been a hallmark of the industry, with firms embracing the business benefits that it can provide. When it comes to cloud, however, financial services organizations have proceeded cautiously, especially in tapping its power for heavily regulated risk and finance functions.
The skies appear to be clearing thanks to expectations surrounding the recent guidance from the European Banking Authority (EBA) – paving the way for firms to embrace cloud for a growing number of use cases.
In 2017, the European Banking Authority (EBA) issued its long-awaited Draft Recommendations on Cloud Outsourcing, with final guidance expected to follow shortly. The recommendations, once finalized, are expected to clear the way for accelerated cloud solution adoption among financial services institutions.
The recommendations highlight cloud services' ability to deliver economies of scale, flexibility, and operational efficiencies. They also address the unique challenges that cloud services present and appear to offer guidance and recommendations in five key areas:
- Data and system security– The EBA updates highlight the importance of data integrity and traceability, offering guidance on how financial institutions should address security when leveraging cloud service providers.Specifically, the report calls for appropriate traceability mechanisms designed to detect malicious attempts to undermine the security of data and systems.
- Location of data and data processing – The EBA outlines a risk-based approach that includes implementation of adequate controls and measures, such as the use of encryption technologies for data in transit, in memory and at rest. As cloud services providers often operate a geographically dispersed computing infrastructure, the recommendations provide specific requirements for data and data processing locations.
- Access and audit rights– The report calls attention to the need to contractually secure both the right to audit for institutions and competent authorities and the physical access to the relevant business premises of cloud service providers.
- Chain outsourcing –Specific requirements were shared by the EBA for mitigating the risks associated with chain outsourcing, where a service provider subcontracts to other providers. There should be transparency as to when subcontracting is permitted, and assurance that the use of subcontractors by a cloud service provider will not affect the services provided under the outsourcing agreement.
- Contingency plans and exit strategies – The recommendations provide guidance on contractual and organizational arrangements for contingency plans and exit strategies from a cloud service.The outsourcing institution should plan and implement arrangements to maintain the continuity of their business in the event that the provision of services by an outsourcing service provider fails or deteriorates to an unacceptable degree.
Assess, Define, Communicate, and Audit
In addition, the EBA outlines guidance for assessing, defining, and communicating the materiality of cloud services to regulatory organizations. It calls for firms to conduct a formal materiality assessment of risks and controls in using a cloud service. In addition, it suggests that local regulators are to approve each assessment and then regularly audit the cloud service provider for security, controls, and compliance with various privacy laws. Financial institutions may also be required to conduct such audits.
Consolidation with a single cloud services provider can help to mitigate the materiality assessment burden as multiple use cases (such as Basel and liquidity) can be covered thru a single comprehensive assessment and approval process. Fragmentation across different cloud vendors will naturally increase the complexity of this process.
Make A List
With the EBA guidelines nearing completion, financial services organizations will soon have new outline to accelerate their journey to the cloud. We share several of our considerations when selecting a cloud services partner:
- Does the cloud provider have established security and privacy programs that are re-enforced by independent certifications?
- Has the provider established a set of rich features to provide security and privacy protections?
- Can the vendor support risk-based approach that includes implementation of adequate controls and measures, such as the use of encryption technologies for data in transit, data in memory, and data at rest?
- Do they have confidence in network and computing resources to meet and scale enterprise business demands without impact to availability?
- Does the provider have the required redundancy and protections at various levels to protect from business impact events such as disasters?
- Is the provider committed to an experienced security function and is willing to collaborate on security and risk topics with the customer?
- How does the provider help to support your migration/exit strategy if you decide to change services?
- Are any of your configurations transportable outside their cloud service? What about core data?
- Does the vendor offer a complete service lifecycle from production through cloud service / SaaS (single ownership)?
- Does the vendor support comprehensive audit requirement in terms of right to audit for institutions and competent authorities and ensure physical access to their cloud services operations?
Up, Up, and Away
The EBA Recommendations on Cloud Outsourcing provide the clarity that financial services organizations need to create a comprehensive cloud strategy for their organization. As with any journey, careful planning is essential to success. In developing a migration strategy and choosing a partner, it is important to remain focus on the intended outcomes: reduced complexity, greater flexibility and agility, lower costs, and better business outcomes.