In recent years, the financial sector has seen a significant rise in the number of financial institutions outsourcing certain processes, services or activities to Cloud Service Providers (CSPs) that use cloud-computing solutions.
Generally speaking, cloud services facilitate a firm’s sharing and storage of information and data, helping it cut costs, improve efficiency and flexibility, and safeguard business continuity.
The emergence of CSPs, however, has brought forth many unique challenges and risks, particularly in terms of information security and data protection.
As a result, ESMA issued a set of guidelines for financial firms that use CSPs. More specifically, these rules have been laid out to help firms and competent authorities identify, address and monitor the risks and challenges that arise from cloud outsourcing arrangements.
CySEC also issued Circular C457, which informs regulated entities about ESMA’s guidelines and that it expects market participants to comply with these new rules if they enter into, renew or amend any cloud sourcing agreements as of July 31, 2021.
Furthermore, by December 31, 2022, all firms should have reviewed and amended their existing cloud outsourcing agreements so that they comply with these guidelines. If a company cannot complete these steps by the aforementioned date, then it must inform the competent authority, providing a plan as to when it will be able to follow through with the review or end its cloud sourcing arrangement.
MAPiTek can help you review and assess your existing CSP relationship agreements or guide you before you assign your functions to a CSP to ensure that the following are in place:
- An agreement that is aligned with the firm’s responsibilities, guidelines, business procedures and monitoring, and the continuous assessment of said agreement.
- A risk assessment of the CSP and its procedures, agreements and service specifications.
- An evaluation based on the results of the risk assessment.
- Information security controls that are appropriately implemented. These should include encryption, identity and access management, networking and database controls, as well as monitoring of compliance and audit where necessary
To better understand your perspective on these guidelines and help you find viable solutions or tools to comply with these rules, please complete our 5-Minute Online Survey Assessment. Upon completion, you will receive a one-hour free consultation with MAPiTek, a leading CSP in Cyprus to discuss how we can help you better comply with ESMA’s new guidelines.