By Ambreesh Khanna, Group Vice President and General Manager of Oracle Financial Services
There’s no doubt about it. Technology has come to define the relationship between businesses and their customers. Industry by industry, companies are reacting to the changing expectations of their customers for a self-service, personalized, mobile-driven experience on one hand, and increasingly digital and data-focused regulation on the other.
Much of the convenience we as consumers experience is enabled by cloud technologies, but the benefits to companies investing in the technology don’t begin and end with the customer. Those companies that were early adopters have also seen significant operational benefits, are better able to act on market opportunities and can more flexibly manage risk.
With such far-reaching benefits, it’s puzzling that the financial services industry has treated the cloud with caution, especially in its more regulated risk and finance functions where the technology brings clear benefits.
If financial services companies were still unconvinced by the security and general suitability of the cloud, then the recent guidance from the European Banking Authority (EBA) should allay such fears and pave the way for firms to embrace the cloud.
Clear guidance from the regulators
At the end of 2017, the EBA issued its long-awaited Final Recommendations on Cloud Outsourcing, clearing the way for financial services institutions to adopt cloud solutions and highlighting the flexibility and operational efficiencies that the technology brings to bear.
The publication of the EBA’s report should remove uncertainty and complexity for financial services companies that are unsure where to start or what to look for when choosing a cloud partner. In particular, the report provides guidance in five key areas:
Access and audit rights – The EBA outlines the need to contractually secure both the right to audit for institutions and competent authorities and the physical access to the relevant business properties of cloud service providers.
Data and system security – The updates in the report highlight the importance of data integrity and traceability, offering direction on the security measures financial institutions should consider when leveraging cloud service providers. In particular, the EBA calls for traceability mechanisms to detect and alert financial institutions to malicious attempts to undermine the security of data and systems.
Location of data and data processing – The report also outlines a risk-based approach that includes adequate controls and measures to protect data in transit, in memory and at rest, such as encryption. The EBA has also considered the fact that cloud services providers often operate a geographically dispersed computing infrastructure and the report outlines specific requirements for data and data processing locations.
Chain outsourcing – Detailed requirements in the report highlight the need for mitigating the risks associated with chain outsourcing, whereby a cloud service provider subcontracts to other providers. It should be made clear when subcontracting is permitted and the cloud service provider must provide contracted assurances that the services provided under the outsourcing agreement will not be affected.
Contingency plans and exit strategies – The EBA report also provides comprehensive guidance on contractual and organisational arrangements for contingency plans and exit strategies from a cloud service. The outsourcing institution should have plans in place to ensure business continuity even if the cloud provider suffers outages or falls below the agreed levels of service.
The materiality of cloud services
Furthermore, the EBA’s report offers a framework for assessing, defining and communicating the materiality of cloud services to regulators. Firms are required to carry out a formal materiality assessment of risks and controls in using a cloud service provider. Moreover, in line with various privacy laws, the report recommends that local regulators sign-off on each assessment and periodically audit the cloud service provider for security, controls, and compliance. It may also be required that financial institutions execute such audits internally.
The use of a consolidated cloud services provider is one of the simplest ways to help reduce the burden of repeated materiality assessment as multiple use cases can be evaluated through a single thorough assessment and approval process. The use of multiple cloud vendors providing a variety of services will inevitably increase the complexity of this process and detract from any efficiency gains experienced from moving to the cloud.
Choosing the perfect partner
Now that the EBA guidelines have been published, financial services organisations have a clear route to the cloud and a better understanding of the requirements of any cloud services partner(s) they may align with. Before approaching cloud services providers there are a number of key questions to consider:
Does the cloud provider have established security and privacy programs that are supported by independent certifications?
- Does the provider offer a set of rich features to deliver security and privacy protections?
Can they support a risk-based approach that includes the deployment of adequate controls and measures, for instance the use of encryption technologies for data in transit, data in memory, and data at rest?
Does the vendor have confidence in their network and computing resources, to ensure that they can meet and scale the enterprise business demands without an impact to availability?
Does the provider have the necessary redundancy and protections at numerous levels to safeguard from business impact events such as disasters?
Is the cloud services provider committed to providing an experienced security function and willing to collaborate on security and risk topics?
How does the vendor help to support the migration/exit strategy of a financial institution, should it decide to change providers?
Are any of your configurations transportable outside of their cloud service? What about core data?
Do they offer a complete service lifecycle from production through to cloud service / SaaS (single ownership)?
Will the cloud service provider support all comprehensive audit requirements in terms of right to audit for institutions and competent authorities and ensure secure physical access to their cloud services operations?
The sky’s the limit
Financial services organisations now have the clarity to create a comprehensive, secure and efficient cloud strategy for their business. As with most changes in the financial services industry, careful planning is critical to success, however the benefits can be substantial.
It is those desired outcomes; reduced complexity, greater flexibility and agility, lower costs and better business outcomes, that financial institutions must bear in mind when developing their migration strategy and choose a cloud services partner that can take their business forward.