The FCA published the results of its consultation on Cloud computing on the 7th July. It has some deep impacts on the way that Authorised Firms manage their IT provision. Here is IP Sentinels guide to the five most important aspects
It is Outsourcing
The guidance makes clear that IT is something that does fall under the outsourcing definitions. This implies that Firms should be cognisant of the requirements set out in SYSC 8 before during and after the engagement.
…It is important to note that where a third party delivers services on behalf of a regulated firm – including a cloud provider – this is considered outsourcing and firms need to consider the relevant regulatory obligations and how they comply with them.
ACTION: Firms should review their IT outsourcing arrangements in light of SYSC8 as a matter of good governance
The FCA re-iterate that firms can outsource the delivery but not the responsibility of any IT system or service. The guidance explicitly describes that a Firm should remain (or retain) competent resources to manage any outsourcing as a prudent check and balance.
Firms retain full accountability for discharging all of their responsibilities under the regulatory system and cannot delegate responsibility to the service provider. At ahigh level, a firm should:
- be clear about the service being provided and where responsibility and accountability between the firm and its service provider(s) begins and ends
- allocate responsibility for the day-to-day and strategic management of the service provider
- ensure staff have sufficient skills and resources to oversee and test the outsourced activities; identify, monitor and mitigate against the risks arising and properly manage an exit or transfer from an existing third-party provider
- verify that suitable arrangements for dispute resolution exist.
ACTION: If Firms do not have in house IT expertise they should engage with a competent vCTO who will be able to review the services and arrangements
Location Location Location
the FCA recognise that Data Centers are potentially a different thing from a Firms place of business which was an arcane but major sticking point for cloud adoption. Whilst the rules on access have not changed the definition of where data can be accessed have been clarified.
We regard ‘business premises’ as a broad term, encompassing a range of premises.his may include head offices, operations centres, but does not necessarily include data centres.
For firms where these requirements apply as rules, their contracts must allow for access to business premises, in line with the rules in SYSC. The focus should therefore be on which business premises are relevant for the exercise of effective
oversight; this does not necessarily require access to all business premises. For example, service providers may, for legitimate security reasons, limit access to some sites – such as data centres.
Action: Firms should ensure that all data can be accessed from their primary business site and that there is the capability within the firm to assist with any regulator requests
This a new set of Guidance and has far reaching impacts on any existing IT service management agreements. Any firm undertaking IT outsourcing should have an exit plan that is documented and tested. The concentration risk is an important point. If an IT service provider that manages the desktops for 40 Firms in London fails and those 40 firms are left without emai, files, archives & trading systems there is a major systemic risk. This is a likely thing to happen given the state of the IT Services market where funds buy on price not understanding the service or regulatory risk they are running.
Firms need to ensure that they are able to exit outsourcing plans, should they wish to, without undue disruption to their provision of services, or their compliance with the regulatory regime. Firms should:
- have exit plans and termination arrangements that are understood, documented and fully tested
- know how it would transition to an alternative service provider and maintain business continuity
- have a specific obligation put on the outsourcing provider to cooperate fully with both the firm and any new outsource provider(s) to ensure there is a smooth transition
- know how it would remove data from the service provider’s systems on exit
- monitor concentration risk and consider what action it would take if the outsource provider failed.
Action: Firms need to construct an exit plan for all 3rd party IT outsource vendor. This point will be the most contentions as it will require contract negotiations in the large majority of cases to ensure the co-operation of vendors on service exit.
There are several areas in which data is mentioned.
This covers basic IT through to customer facing retail websites. The issue of data residency given the failure of Safe Harbour is particularly pertinent and implies that data in the US is not a great strategy unless model clauses are in place.
agree a data residency policy with the provider upon commencing a relationship with them, which sets out the jurisdictions in which the firm’s data can be stored, processed and managed. This policy should be reviewed
- understand the provider’s data loss and breach notification processes and ensure they are aligned with the firm’s risk appetite and legal or regulatory obligations
- consider how data will be segregated (if using a public cloud)
- take appropriate steps to mitigate security risks so that the firm’s overall security exposure is acceptable
- consider data sensitivity and how the data are transmitted, stored and encrypted, where necessary9.
The FCA defer to the ICO in this matter with explicit guidance that Firms should therefore follow the ICO’s guidance on cloud computing
Access to data
The interesting part of the guidance is the types of data mentioned, which although they are are in line with the SEC Cyber Investigations are wider in scope that previously was assumed. The Audit Trails and logs seem to imply all firms should look towards Log Aggregation solutions.
The term “data” has a wide meaning. It includes but is not limited to firm, personal customer and transactional data, but
also system and process data: for example Human Resource vetting procedures or system audit trails and logs.
Action: A review of firm’s data governance, hygiene, classifications, security & residence. This is a big bit of work that needs to be undertaken by resources with specific experience in this area.
It is good to see the FCA issue guidance in this area. However, it does create quite a burden of extra one off project and on-going monitoring for firms. It also requires that all IT contracts are re-examined to ensure that they are compliant with the guidance.
IP Sentinel are a regulatory IT expert. We have experience in all aspects of IT Outsourcing in the Financial Services market and have a range of assurance services that can assist Firms with the Action points set out above.
For more information or to discuss the finer points of the guidance contact James Hogbin on 01825 701870 or firstname.lastname@example.org