Ensuring your outsourcing provider complies with appropriate IT standards

While the EBA's outsourcing guidelines are aimed at encouraging greater standardisation in areas such as IT security, they do offer institutions subject to the guidelines a degree of flexibility over the IT standards they hold their outsourcing providers to in their contracts.

The EBA's outsourcing guidelines need to be read in conjunction with its separately published guidelines on ICT security and risk management (the ICT guidelines), which hone in on their subject matter in a greater level of detail.

Outsourcing guideline requirements

The outsourcing guidelines require credit institutions, investment firms, payment institutions and electronic money institutions to address IT security in their outsourcing contracts. The contracting requirements for institutions include:

• ensuring that service providers, where relevant, comply with appropriate IT security standards, and;
• where relevant, defining data and system security requirements.   

Where an outsourcing is of a critical or important function, the guidelines further require institutions to ensure the accessibility, availability, integrity, privacy and safety of relevant data in line with those requirements.

Appropriate IT security standards

The guidelines do not provide much detail to aide institutions in assessing whether their supplier IT security commitments meet the required 'appropriate' threshold.  The EBA has indicated that it is the institution's responsibility to define what they are, so there is a degree of flexibility as to how institutions make the assessment.

There are certain indicators within the guidelines, however, that assist with the assessment and what needs to be reflected in outsourcing agreements:

• they need to meet internationally accepted information security standards, so if a service provider has, for example, a relevant ISO certification, this would go some way to give comfort as to compliance;
• the service provider's security commitments need to protect not only personal data, but also confidential and sensitive information of the institution. Seeking to rely on GDPR-compliant provisions for the protection of personal data would not go far enough to meet this requirement, for example, and;
• the need for appropriate security standards is not limited to the outsourcing of IT functions, but applies in general to any outsourcing.

Defining data and system security requirements

Paragraph 82 of the guidelines requires institutions to define data and system security requirements within the outsourcing agreement and to monitor compliance with these requirements on an ongoing basis.

The need to 'define' security requirements means that a general contractual commitment from a service provider to simply keep data secure is unlikely to be sufficient to comply. Again, the guidelines do not expand in any material way on how those contractual requirements should be defined or what they should address. That said, there are useful pointers that can be extrapolated from other provisions within the guidelines.

Institutions are required to conduct a risk assessment before entering into an outsourcing arrangement, part of which is to assess and decide on an appropriate level of protection for the institution's data. To assist institutions with task, the guidelines list a number of security measures which institutions should consider for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture. Requiring service providers to implement these types of measures would seem a sensible first step to 'defining' applicable data and security system requirements.

The ICT guidelines also give indications of the type of measures that institutions should address when defining security requirements – more on this below.

Institutions will want to achieve consistency of security standards across their outsource supply chain and ensure that contractual commitments are aligned with their own policies and their risk assessment for particular suppliers. Our experience is that it can be challenging to achieve all of these with certain suppliers in a uniform way, so while seeking suppliers to sign up to a robust, standardised set of security measures is a good starting position, we have found that this is an area where suppliers seek to negotiate something more tailored to their service and existing security arrangements.

ICT guidelines

The security contracting requirements under the outsourcing guidelines need to be read in conjunction with the ICT guidelines. These guidelines also stipulate certain contracting requirements, but they are not as extensive as those set out in the outsourcing guidelines.

In brief, the ICT guidelines require institutions to ensure that contracts with service providers include:

• appropriate and proportionate information security-related objectives and measures, and;
• operational and security incident handling procedures.

Institutions are also required by the ICT guidelines to monitor and seek assurance on the level of compliance of these providers with the security objectives, measures and performance targets of the institutions, so relevant contractual rights and obligations will also need to be included.

Guidance as to what 'objectives and measures' institutions must set is provided by way of examples, including minimum cybersecurity requirements, data encryption and security monitoring processes. These examples provide a useful insight for institutions as to the types of security measures they should implement as a means of achieving compliance with security requirements in the outsourcing guidelines.

The ICT guidelines do not provide examples for incident handling procedures. It would seem reasonable, however, to expect that contractual obligations on the service provider would include notifying any security breach or loss, corruption or degradation of data, remediation commitments, as well as a requirement for them to maintain and implement business continuity and disaster recovery plans.

Operational resilience

The arrival of Covid-19 and the resulting changes in business operations put an unprecedented strain on IT security for many institutions and service providers, not least because of increased data access points and, in some cases, a forced migration to new and untested communication platforms.

As organisations move past the initial crisis management needs to a potential long term adjustment in how they operate, there will be an increased focus on assessing and ensuring operational resilience, both from a business continuity and compliance perspective. Data and information system security will be a central aspect of this assessment, and the relevant requirements in both the outsourcing guidelines and ICT guidelines may well draw closer scrutiny against this contextual backdrop.