The European Securities and Markets Authority (ESMA) recently published a consultation paper on outsourcing to cloud service providers, which included a number of proposed guidelines.
While firms of all sizes have been outsourcing to the cloud for many years already, the new guidelines are aimed at helping ‘firms and competent authorities identify, address and monitor the risks and challenges that arise from cloud outsourcing arrangements’, the regulator said.
Coming into force from June 2021, they are likely to apply to all ESMA regulated entities, including AIFMs, UCITS and investment firms.
In part 1, we took a look at guidelines 1-3 – governance, due diligence and contracts. This time, we offer analysis of guidelines 4-7 – information security, exit strategies, and access and audit rights.
Guideline 4: Information security – time to bolster your IT?
ESMA recommends that a firm should set information security requirements in its internal policies and procedures and within the cloud outsourcing written agreement. In addition, firms are expected to monitor compliance with these requirements on an ongoing basis, including the protection of confidential, personal or otherwise sensitive data.
This includes access management, encryption, network security, use of application programmable interfaces (APIs) and disaster recovery.
That is certainly an arduous task, and it’s no surprise that firms are bolstering their expertise in these areas. Increasingly, we are seeing asset managers and service providers building out their internal IT teams with cloud expertise.
Often the work of this team is stretched across many activities, including creation and management of data interfaces, ongoing due diligence, IT questionnaires, and maintenance of legacy inhouse applications.
In some cases, we see management companies outsourcing Information Security due diligence to a specialist third party firm. Whether outsourcing or not, the directors of the management company have an obligation for information security oversight. The information presented to directors should take the experience of directors into consideration as oftentimes this may be pre-digital and the time available to directors to upskill may be limited.
As discussed in our response to Guideline 1, this is where an ISO 27001 certification can provide assurance. The policies and procedures underpinned by the ISO27001 standard give a set documentation that management can assess and summarise for board presentation.
Guideline 5: Exit strategies – always have a “Plan B”
In the case of outsourcing of critical or important functions, a firm should ensure that it is able to exit cloud outsourcing arrangements without undue disruption to its business activities and services to its clients. Being able to exit should also not cause any detriment to its compliance with the applicable legal requirements, as well as the confidentiality, integrity and availability of its data.
For firms’ partnering with a CSP, therefore, having an exit strategy or “plan B” will always make sense, even if you believe that you’re entering into a long-term partnership. In recent times, AQMetrics has witnessed changes in our marketplace, where competitors have been acquired by market participants, including exchanges. When the CSP is no longer deemed to be core to the strategy of the exchange, a discontinuation of service can occur. This has been especially prevalent with regulatory reporting.
In short, be prepared for changes in the market, and know the options that exist. Often these options will include smaller, independent specialist firms that may pose less risk from an unplanned exit, particularly when compared to a cloud service offered by a larger market participant.
You should also be wary of concentration risk. While the third party risk increases with more providers, the concentration risk decreases. It’s important to weigh up this balance.
Guideline 6: Access and audit rights – Trust and communication is key
ESMA recommends that firms should ensure the cloud outsourcing written agreement does not limit the firm’s access and audit rights as well as its oversight options on the CSP. The recommendations acknowledge that third-party certifications and external or internal audit reports made available by the CSP may aid this process.
Consideration needs to be made where cloud solutions present a high level of technical complexity. The firm or a pool of auditors acting on its behalf should have the right skills and knowledge to properly assess the relevant cloud service.
Trust and communication between the CSP and asset manager or asset service provider is key, particularly during the recent Covid-19 crisis. Any significant changes to the operating environment of the CSP, such as their operations now being mostly remote, should be communicated, and vice versa. Without transparency, the critical changes can be difficult to assess, and ongoing due diligence and audits focus in the wrong areas.
If the CSP is certified by independent auditors, the asset manager or service provider should not try to reproduce these audits in-house. Instead, you should rely on the certification and audit carried out by these independent parties.
Because of Covid-19, meanwhile, on-site access may be impossible or impractical, and this is where trust and communication really becomes key. Firms should make sure that they are in regular dialogue with their CSPs to overcome some of these issues, where possible, and to put in contingency plans if any issues are likely to arise.
An independent auditor may help alleviate some of these issues, while firms should pay more attention to the financial wellbeing of their CSPs, particularly without the luxury of on-site inspections, where much of this may be easier to glean.