Response to consultation on recommendations on outsourcing to cloud service providers
Go back
However, there are paragraphs in the draft which would need more details and clarification in special areas:
Paragraph 4:
Firstly, the register which is asked for should not be a separate register for outsourcing to cloud service providers. If there is already a register on outsourcing it should be possible to include the list for outsourcing to cloud service providers there, as well. This would streamline outsourcing processes overall and make the handling, control and overview easier since most of the times many services are outsourced.
Secondly, such register should only apply for European banking groups and on European level. In third countries there might not be such a provision to keep such register and therefore, a register on European level covering the parts of a third country group operating inside EU (/EEA) should be sufficient.
Thirdly, there is clarification needed that outsourcing contracts regardless of their materiality should be collected in such register. By this, an overview over all outsourcing contracts is given and a change in materiality is easier to handle, to implement and to control.
Paragraph 5:
In lit. h) it is unclear for us by whom the materiality test should be performed. It seems only logical that an internal test is meant since the institution itself has the best insight into the impact of outsourcing to a cloud service provider. This should be clarified.
In lit. j) the question arises what to do in the event that a conclusion if materiality is given or not is difficult or impossible (maybe only at a certain point of time) to whatever reason. It should be allowed to outsource anyway under the condition to manage the relevant risk appropriately.
In lit. l) we understand that the requested due diligence should be possible to perform by the institution itself. This should be possible without the need of external auditors and with a certain degree of flexibility in cases when, for example, the IT due diligence asks for external support.
Paragraph 6:
From our point of view, this paragraph is the part of the recommendation with the greatest impact on both the institutions and the cloud service providers. It should therefore set provisions that are manageable and realistically to meet for both parties.
Both parties do have an intensive interest in data protection and security. However, we see this need not fully met so far in the draft recommendations.
Regarding the provision set out in lit. a), it has to be taken into account that it will be unrealistic for all users of cloud services and their auditors to have full access" to the business premises of the cloud service providers. Not only do cloud service providers have multiple business premises around the world and data from one institution or group might be stored in multiple jurisdictions due to cost efficiency and capacity of the cloud service provider, but also due to security reasons a diversification on different premises is often made. Keeping the "on premises control tourism" out of all facilities is part of the security plan of most cloud service providers. Both location of such premises and the exact handling of data storage is part of the service providers' business secret. Therefore, it is foreseeable that it is hardly impossible for relatively small customers of cloud service providers to negotiate access to business premises as well as insight into the security infrastructures of cloud service providers into the outsourcing contract. Such scenario might be possible for those customers representing a high value to the service provider but certainly not for all customers.
From our perspective, the above mentioned counts for the "right of audit" in the same manner.
In conclusion, we strongly support the idea of the possible use of certifications that respectively will be approved or recognized by the national competent supervisory authorities as it was suggested and discussed in the public hearing to this draft recommendation that took place at the EBA premises on 20 June 2017.
Paragraph 7:
Following up on the concept of certifications, it should be possible to provide a respective assurance of security on the basis of available (and accepted by the supervisor) certifications, especially certain industry standards.
Furthermore, clarification is needed what kind of "alternative ways" are thinkable to provide a similar level of assurance. It is our understanding that such way could be the above mentioned certifications.
Paragraph 8:
In general, we support the concept of certifications as mentioned in lit. b). However, even if we think that widely recognized standards are sufficient, the supervisory authorities should provide guidance for the cloud service providers which core measures should be fulfilled. For example, would a standard which can be fulfilled by self-assessment qualify as a recognized standard? Additionally, the provision also leaves the question open if there are key standards the supervisor expects to be met to which therefore an institution should particularly pay attention when selecting a cloud service provider.
We would therefore welcome an official guidance what key measures an institution should look out for when selecting a cloud service provider.
Paragraph 9:
As to the current paragraph, it remains unclear on how an institution should verify that the external staff is appropriately qualified to perform the audit. Two questions arise in this context: firstly, which proof is sufficient (such as relevant education/experience/certifications) and secondly, how should this be verified since it seems unlikely that staff would present diplomas, a CV for relevant experience or certificates and such things that would work as a verification to a client. This would be also contradictory to data protection implications which call for economical use of personal data which includes that such data is not widely and randomly spread.
Paragraph 19:
We welcome the approach that data protection laws are mentioned in this context, especially due to the fact that large cloud service providers are often domiciled outside the EEA.
Paragraph 23:
Chain outsourcing is quite common and often necessary. So the outsourcing agreement can take this scenario into account. Nevertheless, we believe that institutions can only take a certain degree of influence to subcontractors. Especially the risk assessment before sub-contracted services are changed seems to be inadequate in the context of infrastructure/plat¬form/software as a service. Such changes might be made fast and without immediate direct impact to the institution which is why the institution might not be informed by the cloud service provider. And a change that would increase the assumed risk would therefore mean that the entire outsourcing contract is put into question even though the questioned cloud service provider may be the most adequate from an overall perspective, for instance because it is used by the whole banking group. We therefore recommend that only changes of subcontractors need pre-notification which are material and significant for the outsourcing overall and not each individual service."
Question 1: Are the provisions from these recommendations clear and sufficiently detailed to be used in the context of cloud outsourcing?
In general, the provisions are clear and sufficiently detailed to be used in the context of out-sourcing to cloud service providers.However, there are paragraphs in the draft which would need more details and clarification in special areas:
Paragraph 4:
Firstly, the register which is asked for should not be a separate register for outsourcing to cloud service providers. If there is already a register on outsourcing it should be possible to include the list for outsourcing to cloud service providers there, as well. This would streamline outsourcing processes overall and make the handling, control and overview easier since most of the times many services are outsourced.
Secondly, such register should only apply for European banking groups and on European level. In third countries there might not be such a provision to keep such register and therefore, a register on European level covering the parts of a third country group operating inside EU (/EEA) should be sufficient.
Thirdly, there is clarification needed that outsourcing contracts regardless of their materiality should be collected in such register. By this, an overview over all outsourcing contracts is given and a change in materiality is easier to handle, to implement and to control.
Paragraph 5:
In lit. h) it is unclear for us by whom the materiality test should be performed. It seems only logical that an internal test is meant since the institution itself has the best insight into the impact of outsourcing to a cloud service provider. This should be clarified.
In lit. j) the question arises what to do in the event that a conclusion if materiality is given or not is difficult or impossible (maybe only at a certain point of time) to whatever reason. It should be allowed to outsource anyway under the condition to manage the relevant risk appropriately.
In lit. l) we understand that the requested due diligence should be possible to perform by the institution itself. This should be possible without the need of external auditors and with a certain degree of flexibility in cases when, for example, the IT due diligence asks for external support.
Paragraph 6:
From our point of view, this paragraph is the part of the recommendation with the greatest impact on both the institutions and the cloud service providers. It should therefore set provisions that are manageable and realistically to meet for both parties.
Both parties do have an intensive interest in data protection and security. However, we see this need not fully met so far in the draft recommendations.
Regarding the provision set out in lit. a), it has to be taken into account that it will be unrealistic for all users of cloud services and their auditors to have full access" to the business premises of the cloud service providers. Not only do cloud service providers have multiple business premises around the world and data from one institution or group might be stored in multiple jurisdictions due to cost efficiency and capacity of the cloud service provider, but also due to security reasons a diversification on different premises is often made. Keeping the "on premises control tourism" out of all facilities is part of the security plan of most cloud service providers. Both location of such premises and the exact handling of data storage is part of the service providers' business secret. Therefore, it is foreseeable that it is hardly impossible for relatively small customers of cloud service providers to negotiate access to business premises as well as insight into the security infrastructures of cloud service providers into the outsourcing contract. Such scenario might be possible for those customers representing a high value to the service provider but certainly not for all customers.
From our perspective, the above mentioned counts for the "right of audit" in the same manner.
In conclusion, we strongly support the idea of the possible use of certifications that respectively will be approved or recognized by the national competent supervisory authorities as it was suggested and discussed in the public hearing to this draft recommendation that took place at the EBA premises on 20 June 2017.
Paragraph 7:
Following up on the concept of certifications, it should be possible to provide a respective assurance of security on the basis of available (and accepted by the supervisor) certifications, especially certain industry standards.
Furthermore, clarification is needed what kind of "alternative ways" are thinkable to provide a similar level of assurance. It is our understanding that such way could be the above mentioned certifications.
Paragraph 8:
In general, we support the concept of certifications as mentioned in lit. b). However, even if we think that widely recognized standards are sufficient, the supervisory authorities should provide guidance for the cloud service providers which core measures should be fulfilled. For example, would a standard which can be fulfilled by self-assessment qualify as a recognized standard? Additionally, the provision also leaves the question open if there are key standards the supervisor expects to be met to which therefore an institution should particularly pay attention when selecting a cloud service provider.
We would therefore welcome an official guidance what key measures an institution should look out for when selecting a cloud service provider.
Paragraph 9:
As to the current paragraph, it remains unclear on how an institution should verify that the external staff is appropriately qualified to perform the audit. Two questions arise in this context: firstly, which proof is sufficient (such as relevant education/experience/certifications) and secondly, how should this be verified since it seems unlikely that staff would present diplomas, a CV for relevant experience or certificates and such things that would work as a verification to a client. This would be also contradictory to data protection implications which call for economical use of personal data which includes that such data is not widely and randomly spread.
Paragraph 19:
We welcome the approach that data protection laws are mentioned in this context, especially due to the fact that large cloud service providers are often domiciled outside the EEA.
Paragraph 23:
Chain outsourcing is quite common and often necessary. So the outsourcing agreement can take this scenario into account. Nevertheless, we believe that institutions can only take a certain degree of influence to subcontractors. Especially the risk assessment before sub-contracted services are changed seems to be inadequate in the context of infrastructure/plat¬form/software as a service. Such changes might be made fast and without immediate direct impact to the institution which is why the institution might not be informed by the cloud service provider. And a change that would increase the assumed risk would therefore mean that the entire outsourcing contract is put into question even though the questioned cloud service provider may be the most adequate from an overall perspective, for instance because it is used by the whole banking group. We therefore recommend that only changes of subcontractors need pre-notification which are material and significant for the outsourcing overall and not each individual service."