ESMA’s Cloud Outsourcing Guidelines Part 1: Governance, Due Diligence and Contracts

The European Securities and Markets Authority (ESMA) recently published a consultation paper on outsourcing to cloud service providers, which included a number of proposed guidelines. 

While firms of all sizes have been outsourcing to the cloud for many years already, the new guidelines are aimed at helping ‘firms and competent authorities identify, address and monitor the risks and challenges that arise from cloud outsourcing arrangements’, the regulator said. 

Coming into force from June 2021, they are likely to apply to all ESMA regulated entities, including AIFMs, UCITS and investment firms. 

Even if you’ve got an established framework in place already, firms should take time to understand the guidelines. Not only is it important to make sure you’re acting in accordance with the rules, but a robust cloud strategy may also help minimise future risks and headaches in the future. 

In part 1 here, we take a closer look at guidelines 1-3, and explain how firms can optimise their governance, due diligence, and contractual requirements going forward. 

Guideline 1: Governance and oversight – You need a policy

ESMA recommends that firms should have a cloud outsourcing strategy policy that aligns with other information security, risk management and outsourcing policies. The documentation should clearly state accountabilities and responsibilities and firms should have an oversight function, accountable to the management body  responsible for the oversight process. 

So, what’s the right structure for a cloud service provider oversight? While there’s no hard and fast rule, and all firms have different needs and goals, implementing technical certificates, such as an ISO 27001, is likely to help in this area. The ISO has become the defacto standard for information security management system (ISMS) certification, and should allow firms to implement policies around control and oversight, as well as data security. 

Until recently, it was mostly cloud service providers and technology firms that embraced the certificate, but we are seeing an increasing number of asset managers and service providers, particularly Super ManCos, adopt the ISO standard. 

Embracing such standards will provide firms, and especially Super ManCos, a certified Information Security Management system to underpin the CSP oversight function. 

Guideline 2: Due diligence and vendor risk – Check and check again

It goes without saying that before entering into any cloud outsourcing arrangement, a firm should conduct due diligence checks at commencement of the contract and as part of the ongoing due diligence process. According to ESMA, this should include confirmation whether the outsourced function is deemed critical or non-critical and also include a proportionate risk assessment for the firm’s operational, legal, compliance, and reputational risks.

ESMA, however, does not provide definitive guidance on how the criticality of cloud outsourcing arrangements should be determined. Ultimately, the assessment on whether the CSP is performing a critical outsourced function is for the firm  to make based on its fact pattern and use of the CSP, and this should be self-evident. 

Guideline 2 also offers suggestions on how to perform due diligence of the CSPs, particularly in the areas of information security, service support and business continuity. It points to the benefits of standardised international certifications which can aid the due diligence process. This certification can come from international standards (such as ISO 27001 as discussed earlier), or from regulatory authorisation of the CSP itself. 

Vendor risk has become ever more important in the fallout from the Covid-19 pandemic as well. 

A recent analysis by Risk.net, for instance, found that ‘The economic fallout from the Covid-19 pandemic has spurred banks to increase due diligence of vendors that provide critical outsourced services – while at the same time making audits of such firms difficult, and on-site inspections impossible.’ 

It would be wise for asset managers to adopt a similarly cautious approach, if they aren’t already. Firms should assess the CSP in terms of their continuity plans, their financial wellbeing, how easy it is to switch to another third party if needed, and data management – since most CSP employees are likely to be working from home for the foreseeable future. 

Although on-site visits may be more difficult, firms can still build robust risk management protocols through due diligence, limiting concentration risk, and regularly reevaluating their vendor risk. Top CSP’s should be able to share some of their own security awareness programmes and can assist firms’ if needed. 

Guideline 3: Contractual requirements – Standard terms are best 

In Guideline 3, ESMA recommends that the respective rights and obligations of a firm and of its CSP should be clearly allocated and set out in a written agreement. In addition, ESMA suggests the contractual clauses that the firm should expect include data processing and access rights, performance reporting, insurance and information security measures.

The majority of CSPs will have standardised contractual agreements, used for all customers. Typically terms and conditions will already include data processing and access rights, performance reporting, insurance and information security measures, or will point to the CSP policy documentation that contains the necessary information. 

It is important to note that standardised agreements are a key CSP requirement, and creation of non-standard bespoke contractual agreements is outside the best interests of both parties. 

Significant care and attention is taken when creating cloud service terms and conditions. Effectively, the firm is licensing the CSP on an as-is basis. This can cause confusion for firms, especially for those that  in the past have outsourced functions based on customised professional services agreements. 

Typically speaking, the items in the terms and conditions that can be negotiated are commercial. Non-negotiable items may include warranty, representations, liability and intellectual property. 

AQMetrics is seeing the larger asset service providers creating standardised master cloud agreements for the CSPs, and consigning the historic master professional services agreements to the archives.

Next up, we’ll look at guidelines 3-6 and 7-9, tackling issues such as information security, exit strategies and communication with the National Competent Authorities.

If you would like to discuss any of the above,  please don’t hesitate to reach out and contact us at sales@aqmetrics.com or claire.savage@aqmetrics.com