Out-Law News 3 min. read
21 Jan 2015, 5:07 pm
The paper, written by a network and information security expert at the European Network and Information Security Agency (ENISA), said financial services businesses must address number of "supervisory and compliance concerns" in relation to information security if seeking to make use of cloud computing. It recommended that new guidelines to help the industry navigate through those issues be created.
"As the European Commission encourages the European companies to use cloud computing to increase their mobility and resilience, the finance sector will be likely to request that extra security guarantees are given so their data and processing remain safe (or even safer)," the ENISA research paper (61-page / 2.26MB PDF) said.
The paper recommended that the European Banking Authority (EBA) and ENISA "define the conditions for adoption of cloud-based services and applications in the finance sector".
The recommendations in the paper come after ENISA carried out a questionnaire and interviews with representatives from financial services companies on network and information security issues.
Many respondents to the ENISA questionnaire and interviews said that they are "rarely fully aware of all the implications and impact of regulatory requirements" when using cloud services because the rules are "scattered across several different texts", according to the report. They said "a single implementation guideline would be precious".
Financial services IT contract expert Susan McKiernan of Pinsent Masons, the law firm behind Out-Law.com, said: "Financial services businesses have been increasingly adopting cloud-based solutions, but there is still caution. Information security is a key concern, but it is not the only one – concerns persistent around lack of control of data, data location, access and audit, and in particular ensuring that contracts accommodate the rights of regulators and other supervisory authorities to access and audit relevant data."
"In the UK a regulated business is required to have 'appropriate safeguards' for any outsourcing or delegation of activities to a supplier, but the business has to decide itself what is appropriate, operationally and contractually, depending on the scale, nature and complexity of the activities. This means that different levels of protection are demanded by different businesses across the industry," she said.
McKiernan said there have been previous calls for guidance on what uses of cloud-based solutions would be acceptable from a regulatory perspective and that "clear guidance" as to how a regulated firm can assess and adopt cloud solutions and remain compliant is "likely to be welcomed not only by the regulated businesses, but by suppliers to the industry also".
The ENISA research paper also called on the agency to develop new guidelines to explain when information security principles apply to IT suppliers operating in the financial services sector.
"The key issue reported by participants during our interview process relates to the dichotomy between the security objectives / obligations of their company, and the fact that many aspects are totally under third party control: this remark applies both to messages / networks service providers," the report said. "Likewise this issue seems to extend to other supply areas: Banks are responsible for instance for the protection against data leaks, but cannot always configure entirely the devices they purchase (mobile phones, tablets, laptops, servers, operating systems, etc.)."
"While contractually [financial services companies] are allowed to perform security assessments for these outsourced contracts, they felt that the inclusion of their supply chain in supervision frameworks could address several issues. However, these aspects need to be defined comprehensively," it said.
The ENISA paper also said the European Central Bank and other EU financial services regulators should organise regular network and information security "stress tests" in the financial services sector. It said the tests should be voluntary and look to "identify where possible black swan risks and uncover to the greatest extent possible 'unknown unknowns'".
A 'black swan' event is an incident that, whilst of low risk of occurring, has the potential to have a significant impact on the economy and markets if it does arise.
"Instead of performing a checklist audit, the stress test would be based on a realistic incident scenario to which participants would be able to voluntarily participate. ENISA would support extensively those tests," the ENISA paper said. "The objective is therefore to improve the efficiency of security measures by testing them in fictitious scenarios (i.e. exercises). The results of the stress tests will help to identify global and structural NIS weaknesses. They will be anonymised and key conclusions circulated after the test among participants."