The UK’s Financial Conduct Authority (FCA) recently published its “Guidance for firms outsourcing to the cloud and other third party IT services”. We welcome the publication and believe it provides a good set of areas for consideration for any organisation (globally) when evaluating cloud providers.
The FCA regulates most of the financial services firms and markets in the UK (56,000 businesses) and it publishes guidance documents to help these organisations innovate in their businesses without falling foul of regulations.
It has published finalized guidance to firms on outsourcing to the cloud (17-page PDF). It said there is “no fundamental reason why cloud services cannot be implemented, with appropriate consideration, in a manner that complies with our rules”.
The FCA says that cloud services can provide increased flexibility to firms, however the use of these services also presents risks which need to be identified, monitored, and mitigated.
The document demonstrates great support for well-managed cloud computing initiatives and clears up any previous confusion about whether cloud computing can be compatible with the highly regulated world of financial services.
The FCA paper defines 13 areas of interest for firms to consider, and each area includes a set of detailed guidance. The areas are:
- Legal and regulatory considerations
- Risk management
- International standards
- Oversight of service provider
- Data security
- Data Protection Act (DPA) 1998
- Effective access to data
- Access to business premises
- Relationship between service providers
- Change management
- Continuity and business planning
- Exit plan
To help people interpret this advice, Skyhigh has published a paper; Complying to FCA Guidance & Conformance for UK Financial Institutions (download a copy here) that explains how CASB technology can help companies implement 20 specific points raised in the FCA paper.
The risks highlighted include the level of control the firm exercises over the outsourced service and data security. The Guidance provides a list of the risks that should be considered during the preparation and evaluation of cloud services, as well as ongoing monitoring and operational risk requirements. Multiple recommendations are made regarding data security, data privacy, and data protection areas with reference to other regulations.
Skyhigh’s registry of global cloud services with its 50 attributes per service allows risk-based decision making, policy enforcement, and control of cloud services. Skyhigh can provide instant answers to many of the questions posed in the guidance, in areas such as:
Countries where cloud providers store data
- Legal jurisdiction of the cloud provider
- Information Security Management capabilities
- National and international compliance certifications
- Software vulnerabilities and known compromise
- Encryption capabilities for data transfer, storage, and backup
- Physical controls in the data center
- Dispute resolution arrangements
- Termination arrangements
- Further data protection attributes
In addition, Skyhigh can be used to keep track of specific information such as a record of contracts between the customer and the CSP. Skyhigh sees this document from the FCA as a great addition to effective IT strategy planning for organizations using or moving to the cloud.