ESMA consults on guidelines on outsourcing to cloud service providers

Maria Nikolova

The guidelines seek to help firms and competent authorities identify and monitor the risks that arise from cloud outsourcing arrangements.

The European Securities and Markets Authority (ESMA) today published a consultation paper on guidelines on outsourcing to cloud service providers.

The document provides guidance on the outsourcing requirements applicable to financial market participants, such as investment firms and data reporting services providers, when they outsource to cloud service providers. In particular, the guidelines aim to help firms and competent authorities identify, address and monitor the risks and challenges that arise from cloud outsourcing arrangements.

Under the guidelines, a firm should have a defined and up to date cloud outsourcing strategy that is consistent with the firm’s relevant strategies, such as information and communication technology strategy, information security strategy, operational risk management strategy, and internal policies and processes. A firm is expected to clearly assign the responsibilities for the documentation, management and control of cloud outsourcing arrangements within its organisation and to establish an outsourcing oversight function or designate a senior staff member who is directly accountable to the management body and responsible for managing and overseeing the risks of cloud outsourcing arrangements.

Also, a firm should maintain an updated register of information on all its cloud outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements.

For the cloud outsourcing arrangements concerning critical or important functions, the register should include information, such as the reference number for each cloud outsourcing arrangement, its start date and, as applicable, the next contract renewal date, the end date and/or notice periods for the CSP and for the firm, as well as a brief description of the outsourced function, including the data that is outsourced and whether this data includes personal data.

Before entering into any cloud outsourcing arrangement, a firm should assess if the cloud outsourcing arrangement concerns a critical or important function, and to assess all relevant risks of the cloud outsourcing arrangement. A firm will have to undertake appropriate due diligence on the prospective CSP and identify any conflict of interest that the outsourcing may cause.

A written agreement with a CSP should expressly allow the possibility for the firm to terminate it, where necessary.

Moreover, a firm should set information security requirements in its internal policies and procedures and within the cloud outsourcing written agreement and monitor compliance with these requirements on an ongoing basis, including to protect confidential, personal or otherwise sensitive data.

In case of outsourcing of critical or important functions, a firm should ensure that it is able to exit cloud outsourcing arrangements without undue disruption to its business activities and services to its clients, and without any detriment to its compliance with the applicable legal requirements, as well as the confidentiality, integrity and availability of its data.

A firm should ensure that the cloud outsourcing written agreement does not limit the firm’s effective exercise of the access and audit rights as well as its oversight options on the CSP.

Finally, if sub-outsourcing of critical or important functions (or a part thereof) is permitted, the cloud outsourcing written agreement between the firm and the CSP should specify certain information, such as any part or aspect of the outsourced function that are excluded from potential sub-outsourcing.

These guidelines will apply from June 30, 2021 to all cloud outsourcing arrangements entered into, renewed or amended on or after this date. ESMA instructs firms to review and amend accordingly existing cloud outsourcing arrangements with a view to ensuring that they take into account these guidelines by December 31, 2022.

The consultation is open until September 1, 2020.

Read this next

Industry News

ESG: Australian regulator wins first greenwashing court case against Vanguard

Vanguard admitted that a notable portion of the securities within both the Index and the Fund did not undergo the promised ESG scrutiny.

Fintech, Uncategorized

BitMEX integrates HALO from Solidus Labs for cross-market surveillance

““The recent approval of the Spot Bitcoin ETF has piqued the market’s interest. As a result of price volatility, the trading volumes for crypto derivatives have gone up substantially. HALO, with its advanced technology and crypto-native detection architecture, will enable BitMEX to smoothly and safely scale trade surveillance across its increased trading volumes and provide the necessary safeguards for new product launches.”

Industry News

Horizon Software rebrands to Horizon Trading Solutions

“Horizon Trading Solutions has seen accelerated global growth over the past year to meet the rising demand for our trading solutions and built-for-purpose technology offering. The choice to rebrand represents a key part of this development, while maintaining our heritage and history in the industry.”

Market News

USDJPY has surged to levels last witnessed in 2022. Should we consider opening a short position?

The recent resurgence of the US dollar has propelled USD/JPY to new heights, touching levels not seen since 2022. This surge comes against the backdrop of stable short-term yields and ongoing economic data that fails to signal a significant slowdown, prompting questions about the extent of current monetary easing measures.

Digital Assets

DED Trends on Twitter After Memecoin Snapshot Announcement

Polkadot-backed community coin #DED, made it to the trending charts on X, demonstrating community’s engagement and interest behind the memecoin. 

Digital Assets

BlockDAG Presale Nears $10 Million Amid Toncoin’s Momentum, Green Bitcoin’s Presale, and the Rise of Other Top Cryptos

This article will examine three top trending topics: Toncoin’s potential, Green Bitcoin’s innovative presale, and BlockDAG’s sustainable mining approach. These cryptocurrencies take centre stage for their uniqueness and innovation.

Digital Assets

Coinbase scores minor victory vs SEC, but lawsuit to proceed

A federal judge in Manhattan, U.S. District Judge Katherine Polk Failla, ruled on Wednesday that the U.S. Securities and Exchange Commission’s (SEC) lawsuit against Coinbase can largely proceed.

Web3

COTI Teams Up with Civic for Enhanced Digital Identity Control

СOTI and Civic are teaming up to enhance digital identity security in Web3, aiming to provide users with more control over their digital selves through innovative technology.

Digital Assets

BlockDAG Takes on Chainlink (LINK) Crypto, and RON With DeFi Card and 5000x Profit Potential

Explore BlockDAG’s innovative DeFi card, which transforms cryptocurrency into spendable cash, alongside Chainlink (LINK) crypto and Ronin’s advancements.

<