Response to consultation on recommendations on outsourcing to cloud service providers
Go back
To promote convergence on how financial institutions exercise their access and audit rights, it would be welcomed if the EBA would clearly define what is meant with using “alternative ways” to achieve assurance. The public cloud model facilitates the use of cloud computing infrastructure a vast number of customers because the cloud services are provisioned in an automated and standardized fashion. Two key practices that have facilitated the growth of the public cloud model while ensuring security and resiliency for millions of customers are (1) the use of third-party reports and certifications prepared by independent expert auditors and (2) logical access rather physical access to gather audit evidence. To ensure that the provision of cloud services occurs safely and securely, without harm to the cloud provider, the customer, or the financial system generally, independent expert auditors carry out through inspections of providers’ premises according to third-party assurance frameworks, such as ISO 27001, the CISPE Data Protection Code of Conduct for cloud data protection, the European Secure Cloud label for cloud security, ISO 27017 for cloud security, ISO 27018 for cloud privacy, PCI DSS Level 1, and/or SOC 1/ SOC 2 and SOC 3. Technical experts from around the world contribute to the development of these and other standards, which auditors apply using methodologies that account for the risks physical access can present to the cloud environment and that frequently use logical access to gather the requisite evidence about the cloud provider’s controls. In light of current international best practices in cloud computing security assurance, the EBA cloud recommendations should direct outsourcing institutions and competent authorities to utilize third-party reports and certifications before considering other techniques, such as pooled or individual audits. To define the meaning of “alternative ways,” we urge the EBA to consider the following revision of paragraph 8 (changes in bold):
8. The outsourcing institution should exercise its right to audit and its right to access in a proportionate and risk based manner. Conducting an onsite audit of the cloud service provider when necessary information is made available by the cloud services provider, for example, via logical access (in contrast to physical access) or via third-party certifications or audit reports. The outsourcing institution and the cloud provider may agree to use, for example, one of the following alternative ways of exercising the right to audit and access:
We encourage the EBA to consider also further specifying its recommendation in paragraph 8 for using “pooled audits performed jointly with other clients of the same cloud service provider.” The draft recommendations do not include any further definition or guidance on executing a pooled audit. In some jurisdictions, small and medium-sized financial institutions pool their resources and appoint a third-party auditor for their outsourcing arrangements. Pooled audits reduce the costs to any one outsourcing institution and help avoid duplication with third-party audits by establishing a scope and methodology agreed by the outsourcing institutions and the cloud service provider. Furthermore, they allow for collaborative engagement between the outsourcing institutions and the cloud service provider, while preserving the independence of the audit process. Given the economies of scale that pooled audits generate, there are potentially significant benefits to use of the pooled audit model not only for small and medium-sized institutions, but also significant financial entities.
To ensure that pooled audit is a viable option and consistent with the outsourcing institution and competent authorities’ objectives of independent assurance and transparency, we recommend that the EBA, in its final recommendations, revise paragraph 8(a) as follows (changes in bold):
8 (a) Pooled audits performed jointly with other clients of the same cloud service provider in order to use audit resources more efficiently and to decrease the organizational burden both to clients and to the cloud service provider. Pooled audits should be organized in the following fashion:
(i) Multiple outsourcing institutions of a cloud provider and the cloud provider should collectively establish the pooled audit scope and methodology.
(ii) The outsourcing institutions should appoint an independent and qualified third-party auditor to perform the pooled audit in accordance with the agreed scope.
(iii) Outsourcing institutions should bear the costs of executing the audit to preserve the independence of the pooled audit. ""
The draft recommendations represent a significant step towards reducing uncertainty on the part of both financial institutions and cloud service providers as to how financial supervisory authorities expect the regulated entities to meet their legal and regulatory requirements. We share the EBA’s assessment that uncertainty regarding the regulatory framework and supervisory authorities’ practices has hindered cloud adoption and offer the suggestions below in the spirit of making the cloud recommendations precise and readily applicable in key areas.""
Question 1: Are the provisions from these recommendations clear and sufficiently detailed to be used in the context of cloud outsourcing?
Extract from the joint document : Our foremost priority is to protect the infrastructure housing our customers’ data. We welcome the draft recommendation in paragraph 7 that an outsourcing institution and cloud provider should agree upon “alternative ways” to provide assurance “when the performance of audits or the use of certain audit techniques might create a risk for another client’s environment.” This seems to imply, but does not explicitly state, that the EBA recognizes physical access to premises, such as data centers, presents risks to cloud infrastructure and customer data that should be avoided.To promote convergence on how financial institutions exercise their access and audit rights, it would be welcomed if the EBA would clearly define what is meant with using “alternative ways” to achieve assurance. The public cloud model facilitates the use of cloud computing infrastructure a vast number of customers because the cloud services are provisioned in an automated and standardized fashion. Two key practices that have facilitated the growth of the public cloud model while ensuring security and resiliency for millions of customers are (1) the use of third-party reports and certifications prepared by independent expert auditors and (2) logical access rather physical access to gather audit evidence. To ensure that the provision of cloud services occurs safely and securely, without harm to the cloud provider, the customer, or the financial system generally, independent expert auditors carry out through inspections of providers’ premises according to third-party assurance frameworks, such as ISO 27001, the CISPE Data Protection Code of Conduct for cloud data protection, the European Secure Cloud label for cloud security, ISO 27017 for cloud security, ISO 27018 for cloud privacy, PCI DSS Level 1, and/or SOC 1/ SOC 2 and SOC 3. Technical experts from around the world contribute to the development of these and other standards, which auditors apply using methodologies that account for the risks physical access can present to the cloud environment and that frequently use logical access to gather the requisite evidence about the cloud provider’s controls. In light of current international best practices in cloud computing security assurance, the EBA cloud recommendations should direct outsourcing institutions and competent authorities to utilize third-party reports and certifications before considering other techniques, such as pooled or individual audits. To define the meaning of “alternative ways,” we urge the EBA to consider the following revision of paragraph 8 (changes in bold):
8. The outsourcing institution should exercise its right to audit and its right to access in a proportionate and risk based manner. Conducting an onsite audit of the cloud service provider when necessary information is made available by the cloud services provider, for example, via logical access (in contrast to physical access) or via third-party certifications or audit reports. The outsourcing institution and the cloud provider may agree to use, for example, one of the following alternative ways of exercising the right to audit and access:
We encourage the EBA to consider also further specifying its recommendation in paragraph 8 for using “pooled audits performed jointly with other clients of the same cloud service provider.” The draft recommendations do not include any further definition or guidance on executing a pooled audit. In some jurisdictions, small and medium-sized financial institutions pool their resources and appoint a third-party auditor for their outsourcing arrangements. Pooled audits reduce the costs to any one outsourcing institution and help avoid duplication with third-party audits by establishing a scope and methodology agreed by the outsourcing institutions and the cloud service provider. Furthermore, they allow for collaborative engagement between the outsourcing institutions and the cloud service provider, while preserving the independence of the audit process. Given the economies of scale that pooled audits generate, there are potentially significant benefits to use of the pooled audit model not only for small and medium-sized institutions, but also significant financial entities.
To ensure that pooled audit is a viable option and consistent with the outsourcing institution and competent authorities’ objectives of independent assurance and transparency, we recommend that the EBA, in its final recommendations, revise paragraph 8(a) as follows (changes in bold):
8 (a) Pooled audits performed jointly with other clients of the same cloud service provider in order to use audit resources more efficiently and to decrease the organizational burden both to clients and to the cloud service provider. Pooled audits should be organized in the following fashion:
(i) Multiple outsourcing institutions of a cloud provider and the cloud provider should collectively establish the pooled audit scope and methodology.
(ii) The outsourcing institutions should appoint an independent and qualified third-party auditor to perform the pooled audit in accordance with the agreed scope.
(iii) Outsourcing institutions should bear the costs of executing the audit to preserve the independence of the pooled audit. ""
Question 2: Are there any additional areas which should be covered by these recommendations in order to achieve convergence of practices in the context of cloud outsourcing?
Extract from the joint document : In addition with the GDPR compliance for cloud services, we also stand ready to assist the EBA and financial institutions with an holistic approach that may help that the draft recommendations also takes into account other European legal requirements applicable to the financial sector for Cloud computing services, including those pertaining to the Network and Information Security Directive and those of the Second Payment Services Directive, to cite a few. Therefore, CISPE would also stand ready to support and engage in pre-standardization efforts with the bank regulators, financial institutions, cloud computing providers and the relevant European standardization agencies.The draft recommendations represent a significant step towards reducing uncertainty on the part of both financial institutions and cloud service providers as to how financial supervisory authorities expect the regulated entities to meet their legal and regulatory requirements. We share the EBA’s assessment that uncertainty regarding the regulatory framework and supervisory authorities’ practices has hindered cloud adoption and offer the suggestions below in the spirit of making the cloud recommendations precise and readily applicable in key areas.""