The European Securities and Markets Authority (ESMA) published on May 10, nine overarching Guidelines on outsourcing to cloud service providers, which includes not only delegation arrangements between a firm and a cloud service provider (CSP) but also a firm and a third-party which is not a CSP but which "relies significantly on a CSP to perform a function that would otherwise be undertaken by the firm itself".
Some of the provisions of the guidelines are as follows:
Governance, oversight and documentation. Firms should consider to
Clearly assign the responsibilities for the documentation, management and control of cloud outsourcing arrangements.
Allocate sufficient resources to ensure compliance with the guidelines and the relevant legal requirements.
Establish a cloud outsourcing oversight function responsible for managing and overseeing the risks related to cloud outsourcing arrangements.
Monitor the performance of activities, the security measures and the adherence to agreed service levels by their CSPs.
Maintain an updated register of information on all cloud outsourcing arrangements with a clear distinction between the outsourcing of critical or important functions and other outsourcing arrangements
Pre-outsourcing analysis and due diligence. Firms should consider to
Assess if the cloud outsourcing arrangement concerns a critical or important function.
Identify and assess all relevant risks of the cloud outsourcing arrangement.
Undertake appropriate due diligence on the prospective CSP.
Identify and assess any conflict of interest that the outsourcing that may arise.
Use certifications based on international standards and external or internal audit reports during the due diligence process.
Key contractual elements. The respective rights and obligations of a firm and its CSP should be clearly set out in a written agreement and include at least
A clear description of the outsourced function.
The firm’s and the CSP’s financial obligations.
The governing law of the agreement.
The agreed service levels.
The reporting obligations of the CSP to the firm.
Provisions regarding the management of incidents by the CSP, including the obligation for the CSP to report to the firm without undue delay incidents that have affected the operation of the firm’s contracted service; etc…
Information security. Firms applying a risk-based approach, should at least:
For information security organisation, ensure that there is a clear allocation of information security roles and responsibilities between the firm and the CSP, including in relation to threat detection, incident management and patch management.
For identity and access management, ensure that strong authentication mechanisms (e.g. example multi-factor authentication) and access controls are in place with a view to prevent unauthorised access to the firm’s data and back-end cloud resources.
Encryption and key management, ensure that relevant encryption technologies are used, where necessary, for data in transit, data in memory, data at rest and data back-ups, in combination with appropriate key management solutions to limit the risk of non-authorised access to the encryption keys; in particular.
For the operations and network security: consider appropriate levels of network availability, network segregation and processing environments.
Application programming interfaces (API): consider mechanisms for the integration of the cloud services with the systems of the firm to ensure security of APIs
Business continuity and disaster recovery: ensure that effective business continuity and disaster recovery controls are in place.
Data location: adopt a risk-based approach to data storage and data processing location(s) (namely regions or countries…
Firms should also consider the details provided in the remaining guidelines related to Exit strategies, Access and Audit Rights Sub-outsourcing, Written notification to competent authorities and Supervision of cloud outsourcing arrangements.