Out-Law Analysis 3 min. read
17 Aug 2020, 10:19 am
Institutions are required to ensure that they are able to carry out security penetration testing on outsourced service provider's systems under European Banking Authority (EBA) guidelines on outsourcing arrangements. It is one of the more challenging hurdles that institutions face when seeking to comply with the guidelines.
Solutions must be found which balance the service providers' concerns and the institutions obligations under the guidelines
The requirement, which applies to both critical and non-critical outsourcing arrangements, is that the institution should, where relevant, be able to assess the effectiveness of any implemented cyber and internal information and communication technology (ICT) security measures and processes of the outsourced service provider.
Compliance with the requirement will enable the institution to monitor and understand the security measures in place in relation to its outsourced services. Having an overview of those measures will allow institutions to anticipate and better deal with security incidents, which means that the institution and the outsourced function will be more resilient than if the institution lacks understanding of its outsourced service provider's security measures.
The requirement on security penetration testing only applies "where relevant", but the EBA's guidelines do not specify how institutions should assess whether penetration testing is relevant. However, taking the obligation in reverse, if cyber and internal ICT security measures and processes are utilised by the service provider and these are applicable to the outsourced function, then it is very likely to be relevant.
Institutions will also need to consider the relevance of security penetration testing in the context of its general risk assessment of the service provider. Where security penetration testing forms part the risk management processes applied to the service provider then it will definitely be relevant. This assessment will primarily need to be made by information security team, or equivalent, within institutions.
In our experience, service providers generally challenge and raise concerns about institutions seeking contractual rights to carry out security penetration testing on their systems. The most common concern is that security penetration testing carried out by the institutions would, in itself, create a security risk to their systems and to their other customers. Service providers have also raised the point that penetration testing carried out by an institution could cause damage to their systems. From the perspective of compliance with the EBA's guidelines, however, these concerns cannot be used as a barrier to institutions having the right to carry out penetration testing where it is relevant. Solutions must be found which balance the service providers' concerns and the institutions obligations under the guidelines.
The starting position is that the institution should have the right itself to conduct the security penetration testing. However, in a similar vein to third party certifications being used a precursor to a full audit right, consideration may be given to allowing the service provider to procure the services of a third party service provider to undertake the security penetration testing and the report being made available to the institution. Equally, if the service provider has the internal competency to do the testing itself then this may be considered as an option also. If this "testing and report" option is considered, the institution will need to consider a number of factors, including:
To meet the EBA's guideline requirements, the institution will always need to have the right itself to carry out security penetration testing. The outsourcing agreement between the institution and service provider will therefore need to stipulate the situations in which this direct right will arise. This inevitably will trigger the service providers' concerns about confidentiality risks and potential damage, but in our experience, working closely with client's information security teams, these issues can be overcome by getting into the detail on what exactly will be the subject of the security penetration testing and the methodology to be adopted.
23 Jul 2020
05 Aug 2020