ESMA produce cloud outsourcing guidance for investment banks and service providers

The guidelines published by the European Securities and Markets Authority (ESMA), which include requirements around pre-contract risk assessments and how data and security risks should be addressed in cloud outsourcing contracts, are in draft form and open to consultation. Once finalised, they will complete a suite of regulatory guidance issued on cloud outsourcing by the European supervisory authorities.

Some groups of financial institutions subject to the outsourcing guidance produced by the European Banking Authority (EBA) and the European Insurance and Occupational Pension Authority (EIOPA) will be required to adhere to the ESMA guidelines too. Those institutions in particular will welcome the fact the draft ESMA guidelines are less detailed and prescriptive that the outsourcing guidance already produced by the EBA and EIOPA, but should nevertheless carefully assess how they will apply to their operations, investment services and activities.

ESMA guidelines – their scope and context

The guidelines developed by ESMA, like those already published by the EBA and EIOPA, reflect the European Commission's expressed desire for new guidance to be developed to help regulated entities adopt cloud-based solutions.

The consultation period closes on 1 September 2020. ESMA proposes that the guidelines will take effect from 30 June 2021, with a backstop date of 31 December 2022 for firms to review cloud arrangements and ensure their compliance with the guidelines.

Comparing ESMA, EBA and EIOPA guidance

ESMA's draft guidelines are broadly in line with the EBA and EIOPA guidance, but are more condensed. In some respects they could be viewed as less prescriptive or onerous.

The ESMA guidelines are much shorter and deal with a number of issues only briefly. For example, the EBA guidelines set out a number of paragraphs on issues relating to governance, internal audit, business continuity and termination rights. ESMA has addressed these issues in very little detail.  

The guidelines also lack the level of detail set out the EBA guidelines around core concepts which impact whether and the extent to which the guidelines apply. For example, the issue of 'what is and what is not outsourcing' is not addressed through a specific guideline. However, a definition is provided for a 'cloud outsourcing arrangement' which extends the application of the guidelines to arrangements where a third party is not a cloud supplier itself but relies on a cloud supplier – for example, through a sub-outsourcing chain – to perform a function that would otherwise be undertaken by the firm itself.

No detailed criteria for determining what is or what is not a critical or important function is included either, although a short definition of a critical and important function is provided.

There are also no detailed paragraphs on how the guidelines are to be applied in a group entity context.

Unlike in the EBA's guidelines, the ESMA guidelines do not include a long list of requirements for an overarching outsourcing or cloud policy, although some details in relation to risk management and cloud strategy are set out.

A detailed list of information to be kept in a cloud register is also outlined. This is similar to the list included in the EBA's guidelines. The register is designed to require firms to differentiate between their critical and important functions and those that are non-critical and important.

The ESMA guidelines also set out a list of contractual requirements to be included in contracts with cloud suppliers. This list likewise differentiates between arrangements for critical and important functions and those for non-critical and important functions.

While the EBA's guidelines make clear that institutions must insist that cloud providers ensure that sub-outsourcer's grant the "same contractual rights of access and audit as those granted by the service provider", this obligation is not explicitly set out by ESMA. However, cloud providers must ensure that the contractual rights ensure that all contractual obligations between the cloud provider and the regulated entity "are continuously met".

Specific differences between the EBA's guidelines and those developed by ESMA on information security, auditing rights, data locations and exit exist too.

Data and systems security

Guideline 4 requires information security requirements to be included within the cloud outsourcing written agreements. For critical and important functions, on a risk-based approach, a list of requirements is to be complied with.

While the nature of what is set out in this list is broadly similar to those specified by the EBA and EIOPA, the detail is different.

Unique to the ESMA draft guidelines are explicit requirements to:

• ensure that there is a clear allocation of information security roles and responsibilities between the firm and the cloud service provider (CSP), including in relation to threat detection, incident management and patch management; and
• ensure that strong authentication mechanisms, for example two factor authentication, are implemented.

It is not clear why ESMA has called out some information security measures which are not explicitly referred to in the EBA's outsourcing guidelines, but not others set out in the EBA's sister guidelines on ICT and security risk management.

Regulated entities are also asked to "consider" various matters in relation to encryption and key management, tenant isolation in shared environments, operations and network security and application programming interfaces. The detail provided in the ESMA guidelines in relation to these areas does not replicate what is outlined in the EBA and EIOPA guidelines.

Guideline 4 also requires that regulated entities ensure that the cloud service provider "complies with internationally recognised information security standards". This is slightly different to the EBA's outsourcing guidelines which require regulated entities to "ensure that service providers, where relevant, comply with appropriate IT security standards". Background information issued alongside the EBA's guidelines does, however, explain that regulated entities "must ensure that they meet internationally accepted information security standards and this also applies to outsourced IT infrastructures and services".

Data locations

ESMA's guidelines make a number of references to the need for firms to know and document the locations where their data will be stored and processed in the cloud. However, some provisions refer to the need to specify where the 'countries' data is located, while others make reference to 'countries and regions'.

Regulated entities are to set out "the location(s) (namely countries) where relevant data will be stored and processed (location of data centres)", as information kept in the cloud register and shared with the regulator prior to entering into a written agreement, and within written agreements for outsourcings which relate to critical or important functions. Separately, as part of its overall approach to risk management of critical and important functions, regulated entities are to "adopt a risk-based approach to data storage and data processing location(s) (namely country or region).

During the consultation period there will be opportunity to clarify whether ESMA intends regulated entities to keep track of the individual countries within regions, such as the EU or EEA, where data is stored, or whether this is an unintentional oversight in the text. Clarity on this point is important – some cloud providers may not want to reveal the specific country data is stored in.

Exit

The ESMA guidelines are broadly in line with the EBA's guidelines in respect of the provision institutions must make for exiting from cloud outsourcing arrangements. However, there are some technical differences in the language used.

Exit plans need to be updated if an outsourced function changes. The written outsourcing agreement also needs to set out "an obligation for the CSP to orderly transfer the outsourced function and all the related data from the CSP and any sub-outsourcer to another CSP indicated by the firm or directly to the firm in case the firm activates the exit strategy."

Taken literally, this requirement is broader than that set out by the EBA as the cloud provider must transfer all of the related data, not only that data which is relevant or will be useful to the regulated entity in the future.

Audits and audit rights

The ESMA guidelines only address the auditing rights institutions must secure from cloud providers for themselves and regulators in the context of critical and important outsourcing arrangements. The requirements are broadly similar to those set out in the EBA's guidelines.

In the context of critical and important functions, they give regulated entities the option to use pooled audits, certifications and third party audit reports on occasion. However, like with the EBA's guidelines, regulated entities must retain the contractual rights to:

• "request the expansion of the scope of the certifications or audit reports to other relevant systems and controls" of the cloud supplier", and;
• "perform individual on-site audits at its discretion with regard to the outsourced function."

The draft ESMA guidelines state: "In case the exercise of the access or audit rights, or the use of certain audit techniques create a risk for the environment of the CSP and/or another CSP’s client (for example by impacting service levels, confidentiality, integrity and availability of data), the firm and the CSP should agree on alternative ways to provide a similar result (for example, the inclusion of specific controls to be tested in a specific report/certification produced by the CSP)."

In contrast, the EBA guidelines provide that "when performing audits in multi-client environments, care should be taken to ensure that risks to another client’s environment (e.g. impact on service levels, availability of data, confidentiality aspects) are avoided or mitigated."

Due diligence

ESMA plans to impose similar pre-contractual risk analysis and due diligence requirements to those set out in the EBA guidelines. However, ESMA has additionally outlined that the cloud suppliers' "service support, including support plans and contacts, and incident management processes" should be considered.

The consultation – an opportunity

ESMA has taken a 'less is more' approach. Generally, cloud providers and regulated entities will be pleased to see that some of the more difficult areas of the EBA's guidelines on outsourcing have been dispensed with – such as prescriptive termination rights.

However, it is a shame that ESMA did not, in light of the current coronavirus pandemic, take more time to consider ways in which it could further reduce barriers which regulation and guidance has created to the take up of cloud services across the EU.

The pandemic has highlighted just how important it is for risks relating to cloud not to be viewed in isolation from the upside cloud-based solutions present in terms of innovation, effective use of large datasets and machine learning technologies, working from anywhere, enabling video conferencing and transferring data at speed.

Stakeholders should seek to use the consultation period to help regulators and supervisory authorities take more practical steps towards a world that addresses the risks technology services present but that also acknowledges the increasing reliance global economies and businesses have upon them.