On 31 July 2021, the Guidelines on outsourcing to cloud service providers issued by the European Securities Market Agency (ESMA) became applicable to all cloud outsourcing arrangements entered into, renewed or amended on or after that date.
The new Guidelines help firms to identify, address and monitor the risks and challenges arising from cloud outsourcing arrangements, which are still becoming more common.
In addition to competent authorities, the Guidelines are applied to certain players in the financial sector, which include undertakings for collective investment in transferable securities, central counterparties, investment firms and credit institutions when carrying out investment services and activities, as well as credit rating agencies.
The Guidelines supplement previous guidelines on outsourcing issued by the European Banking Authority (EBA) and European Insurance and Occupational Pensions Authority. ESMA has stated that the new Guidelines are consistent with the previously issued guidelines. Even though the consistency of the guidelines is useful for the firms falling within the scope of application of ESMA's Guidelines, all of the guidelines on cloud outsourcing are to be examined separately, taking into account their individual scopes of application.
What do firms have to consider under the new Guidelines?
The Guidelines set altogether nine guidelines for firms, which they must take into account in cloud outsourcing arrangements.
1. The firm must have a defined and up-to-date cloud outsourcing strategy that is consistent with the firm's strategies and internal policies and processes.
The responsibilities for the documentation, management and control of cloud outsourcing arrangements must be clearly assigned within the organisation. An internal oversight function must be arranged taking into account the nature and scale of the business. A clear allocation of tasks and responsibilities for management and oversight is the minimum requirement.
Firms not categorised as small must establish an oversight function or designate senior staff members who are directly accountable to the management body and responsible for managing and overseeing the risks. The oversight must be risk-based, with a primary focus on critical or important functions.
An updated register of information must be maintained on all cloud outsourcing arrangements. A periodical reassessment must be made about whether the cloud outsourcing arrangements concern a critical or important function, and the critical or important functions must be distinguished from other outsourcing arrangements in the register.
2. Before entering into any cloud outsourcing arrangement, the firm must conduct an analysis and a due diligence review proportionate to the nature of the arrangement in question.
The firm must assess if the cloud outsourcing arrangement concerns a critical or important function and identify and assess all relevant risks and any conflicts of interest. The analysis must include an assessment of the potential impact of the cloud outsourcing arrangement on the firm's operational, legal, compliance, and reputational risks.
Unlike in the EBA cloud outsourcing guidelines, according to the ESMA guidelines additional factors to be considered in the due diligence on the cloud service provider consist of, for example, service support, including support plans and contacts and disaster recovery plans.
3. As a minimum requirement, the respective rights and obligations of the parties should be clearly set out in a written agreement.
The written agreement must include a clear description of the outsourced function, term and termination of the agreement, and a mention of the possibility of the firm to terminate it, the financial obligations of the parties, provisions regarding information security and protection of personal data, access and audit rights and minimum obligations set on the cloud service provider.
4. Information security requirements must be included in the cloud outsourcing agreement.
The firm must set information security requirements in its internal policies and procedures and within the cloud outsourcing agreement and monitor compliance with these requirements on an ongoing basis, including to protect confidential, personal or otherwise sensitive data.
In case of outsourcing of critical or important functions, the firm must, inter alia,
- ensure that there is a clear allocation of information security roles and responsibilities between the firm and the cloud service provider, including in relation to threat detection, incident management and patch management
- ensure that strong authentication mechanisms (for example multi-factor authentication) and access controls are in place
- ensure that relevant encryption technologies are used, where necessary, for data in transit, data in memory, data at rest and data back-ups, and
- adopt a risk-based approach to data storage and data processing location(s) (namely regions or countries).
Although the EBA guidelines include provisions of a similar nature, the provisions about strong authentication mechanisms and a risk-based approach in the ESMA Guidelines are different or entirely new compared to them.
5. The agreement must include exit strategies that do not cause undue disruption to the business activities and/or services.
In case of outsourcing of critical or important functions, the firm must ensure that it is able to exit the cloud outsourcing arrangement without undue disruption to its business activities and services to its clients, and without any detriment to its compliance with its obligations under the applicable legislation, as well as the confidentiality, integrity and availability of its data.
The firm must develop an exit strategy and identify alternative solutions. The firm must also define success criteria for the transition and assign roles and responsibilities to manage the exit strategy.
6. The agreement may not limit access and audit rights.
The firm should ensure that the cloud outsourcing written agreement does not limit the firm's and competent authority's effective exercise of the access and audit rights and oversight options on the cloud service provider.
Firms may enhance the efficiency of the use of audit resources and decrease the organisational burden on the cloud service provider and its clients by requiring third-party certifications and external or internal audit reports, and by pooled audits, without prejudice to their final responsibility regarding cloud outsourcing arrangements.
7. If sub-outsourcing is agreed upon, the agreement must specify clear obligations and requirements.
If sub-outsourcing of critical or important functions (or material parts thereof) is permitted, the cloud outsourcing written agreement between the firm and the cloud service provider must include certain provisions and ensure that the cloud service provider properly oversees the subcontractor.
8. The firm should notify its competent authority in writing and in a timely manner of planned cloud outsourcing arrangements that concern a critical or important function.
Also, those cloud outsourcing arrangements that concern a function that was previously classified as non-critical or non-important and then became critical or important must be notified to the competent authority.
9. The supervision by competent authorities focuses on the arrangements that relate to the outsourcing of critical or important functions.
Competent authorities assess the risks arising from firms' cloud outsourcing arrangements as part of their supervisory process and focus in particular on the arrangements that relate to the outsourcing of critical or important functions, and assess based on this whether
- the firms have in place the relevant governance, resources and operational processes to appropriately and effectively enter into, implement, and oversee cloud outsourcing arrangements, and
- whether the firms have identified and managed all relevant risks related to cloud outsourcing.
Consequences and future prospects
Firms must assess and change their current cloud outsourcing arrangements to comply with the Guidelines by 31 December 2022.
Adding pressure to the assessment and possible changes is the notion that if the cloud outsourcing arrangements of critical or important functions have not been assessed by the end of 2022, the companies must notify the competent authorities about this and include in the notification the planned measures, by which the assessment will be completed, or alternatively notify the possible exit strategy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.