Cloud sourcing: are you familiar with Luxembourg s revised regulatory environment?

Transcription

1 Cloud sourcing: are you familiar with Luxembourg s revised regulatory environment?

2

3 Contents 4 Cloud sourcing: are you familiar with Luxembourg s revised regulatory environment? 6 The new CSSF Circular 17/654 in brief 9 Disrupting the status quo of traditional IT sourcing 11 Cloud sourcing: a milestone for organizations 14 About EY s Advisory Services 15 Want to learn more?

4 4 Cloud sourcing Do you have 15 minutes and a credit card? That is all it takes for anyone within an organization today to set up a cloud solution. This ease of access is one of many reasons individuals and business units use cloud service providers (CSP) with an increased frequency. Following this trend, the Luxembourg supervisory authority of the financial sector, the CSSF (Commission de Surveillance du Secteur Financier), launched in May 2017 Circular 17/654 to clarify the regulatory environment on IT out-sourcing based on a cloud computing infrastructure. The process of sourcing IT in a cloud computing model is also known as cloud sourcing, which is seen as a revolutionary sourcing alternative in Luxembourg s financial services industry. Next to the dedication of IT staff to shift into shared IT services, or the fact that costs will be based on demand for IT capabilities in future, Luxembourg s regulated institutions face the new opportunity to subscribe to cloud computing services with a third party located abroad. The European Union Agency for Network and Information Security (enisa) defines cloud computing as on demand service model for IT provisions, often based on virtualization and distributed computing technologies.

5 Cloud sourcing 5 Cloud sourcing: a revolutionary sourcing alternative? The International Data Corporation (IDC) stated in its updated Worldwide Semiannual Public Cloud Services Spending Guide that worldwide public cloud services and infrastructure will reach US$122.5b in 2017, an increase of 24.4% over Despite the rapid escalation of cloud services, many IT executives remain hesitant to endorse a cloudfirst approach. Worse, there are some who refuse to adopt any cloud-based services at all, citing security and privacy concerns, operational challenges, or inability to control information once it leaves the perimeter. Respondents to Path to cyber resilience: Sense, resist, react- EY s Global Information Security Survey reflected this concern, with 16% reporting that cloud computing use had changed their risk exposure most in the last 12 months. This attitude can increase an organization s risk rather than mitigate it. In order to meet fierce competitive demands and new business requirements, many organizations have found internal stakeholders will procure cloud computing services directly, without involving IT experts and without fully addressing regulatory and compliance matters thus leaving the associated risks unmanaged. 1 The IDC guide can be downloaded here: 2 EY s Global Information Security Survey can be downloaded here:

6 6 Cloud sourcing revised revised regulatory regulatory environment? environment? The new CSSF Circular 17/654 in brief In May 2017, Luxembourg s supervisory authority of the financial sector, the CSSF, published the CSSF Circular 17/654 addressing IT outsourcing based on a cloud computing infrastructure (thereafter the Circular) which became immediately effective. The CSSF Circular aims to provide clarification on the regulatory framework by providing definitions about the Luxembourg cloud computing model by an external service provider. The CSSF follows the definitions of authoritative international organizations such as the National Institute of Standards and Technology of the U.S. Department of Commerce (NIST) and the European Union Agency for Network and Information Security (enisa). enisa defines cloud computing as on-demand service model for IT provisions, often based on virtualization and distributed computing technologies. Cloud computing architectures have Highly abstracted resources Near instant scalability and flexibility Near instantaneous provisioning Shared resources (e.g., hardware, database, memory) Service on demand, usually with a pay as you go billing system programmatic management (e.g., through web services application programming interface) In scope of the Circular are all credit institutions, investment firms, specialized PFS (Professional of the Financial Sector), support PFS, payment institutions, and electronic money institutions which aim to outsource their IT services to a Cloud Service Provider (CSP). Such entities must immediately apply the 17/654 requirements and are not anymore covered by sub-section 7.4. of the CSSF Circular 12/552 on central administration, internal governance and risk management, as amended. The Circular provides five defining attributes of cloud computing: 1. Measured service 2. On-demand self-service 3. Resource pooling 4. Rapid elasticity 5. Broad network access Due to the Circular, cloud computing comprises four deployment models: 1. Public cloud: available publicly; any organization may subscribe 2. Private cloud: services built according to cloud computing principles, but accessible only within a private network 3. Community cloud: cloud services offered by a provider to a limited and well defined number of parties 4. Hybrid cloud models: a composition of two or more distinct cloud infrastructures (i.e., private, community or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds)

7 Cloud sourcing 7 CSPs offer a wide spectrum of services. Generally, the following categories are used: 1. Infrastructure as a Service (IaaS): IaaS capabilities include processing, storage, networks and other fundamental computing resources where the consumer is able to deploy and run software, including operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage and deployed applications and perhaps limited control of selected networking components (e.g., host firewalls). 2. Platform as a Service (PaaS): PaaS enables the consumer to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the CSP. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems or storage, but has control over the deployed applications and possibly application hosting environment configurations. 3. Software as Service (SaaS): SaaS enables the consumer to use the CSP s applications running on a cloud infrastructure. The applications are accessible from various client devices through a client interface such as a web browser (e.g., webbased ). The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage or even individual application capabilities, with the possible exception of limited userspecific application configuration settings. Furthermore, the Circular emphasizes the requirements that a regulated institution using cloud resources has to comply with (i.e., the so-called ISCR Institution Supervised by the CSSF and Consuming cloud computing Resources).

8 8 Cloud sourcing In practice, financial service players consider turning to cloud computing in order to optimize their cost of technology, to improve employee productivity and to eliminate technology as a barrier. However, the adoption and implementation of the process of IT outsourcing from the cloud will bear risks, particularly around data security and governance. Any Luxembourg regulated institution willing to use a cloud computing model should consider such new risks. To be considered as a cloud sourcing model based on the Circular, the five attributes defining the cloud computing model as mentioned above are considered as mandatory and need to be completed by the following two additional conditions: The personnel at the CSP cannot access data or systems without explicit consent from the institution. The services provided do not require manual intervention for the daily management of cloud resources used by the institution. Whether or not the outsourced activity is considered as material, an authorization from CSSF or a simple notification are required. The data confidentiality well known principle is now replaced by the need to know and least privilege principles: accesses to data and systems are granted only to people whose functions justify this access. Privileges are restricted to the minimum. Finally, the regulated institution should assess the opportunity to obtain the client consent or just to inform them, considering the legal risks. Organization will have to comply with the General Data Protection Regulation 3, as of May In a nutshell: 5Cloud computing is the location-independent delivery of IT management services. Cloud computing architectures have five attributes: 1. Measured service 2. On-demand self-service 3. Resource pooling 4. Rapid elasticity 5. Broad network access 3Three categories of cloud computing Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as Service (SaaS) 4Four deployment models Public cloud model Private cloud model Community cloud model Hybrid cloud model 3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation GDPR). The GDPR is relevant in the European Economic Area, which is composed of the European Union Member States plus Norway, Iceland, and Liechtenstein. Additional information on GDPR can be downloaded from our webpage

9 Disrupting the status quo of traditional IT sourcing Cloud sourcing is disrupting the traditional status quo of IT sourcing and offering new alternatives and new players: institutions will shift from dedicated IT staff into shared IT services, from heavy and constant hardware or IT costs to on demand payment for IT capabilities, and from the limited choice of having IT activities outsourced to PFS in Luxembourg to a wide range of CSPs located abroad. The Circular introduces the option to select a local CSP in the Grand Duchy of Luxembourg or a CSP domiciled abroad to regulated Luxembourg institutions subscribing to third party cloud computing services. Indeed, the use of cloud services often results in the organization s information assets being physically stored in new geographic locations, including new countries. Having said that, this does not mean that the CSSF is not concerned anymore with data confidentiality. Moving data to the cloud does not preclude or eliminate the requirements for confidentiality and data protection. At times, moving data to the cloud can increase the complexity of protecting data as well as the risk of exposure. Information traversing public networks is more vulnerable to attacks from external parties. As a result, organizations and CSPs need to pay particular attention to how these transactions are protected during storage, processing and transmission. Therefore, a thorough risk analysis is required including, for non Luxembourg CSPs, an assessment of geopolitical risks, and applicable laws particularly in regards to data protection. To avoid the risk of having data in countries with poor data protection, the CSSF stipulates that a cloud sourcing contract can only be signed with a service provider subject to a law of European Union Member States (EU), and that at least one of its data centers is located in the EU. On the other hand, cloud sourcing does not mean at all relying on services provided by a third party while ignoring where data is. For obvious reasons (such as limiting risks of concentration or dependence), the regulated institution should be able, at any time, to know where data and systems are located. Cloud sourcing?9 Questions for executives: What are the legal, regulatory and contractual obligations impacting the company s information assets? Has our organization adopted information classification policies and procedures with associated handling requirements? Has information classification and ownership been shared with the CSP? How is information protected when it is transmitted between the onpremise environment and the cloud? How is the CSP protecting the company s information as it is transmitted and stored? How does our vendor detect a compromise or intrusion? How do we control and access our data after they are moved to the cloud?

10 10 Cloud sourcing revised? regulatory environment? Questions for executives: Is there a governance model in place to manage the transition and operation of the information flow from our organization to the cloud? Has our organization performed a formal risk and security analysis on the information that is being transitioned to the cloud? Is the cloud integration strategy in line with management s risk appetite? How does the risk of deploying or maintaining an on-premise solution compare with leveraging a cloud service? Regulated financial institutions not only need to cover contractual risk, they are also required to enforce a sound governance and to have proven and documented controls for safeguarding data and avoiding pitfalls. Policies and procedures have to be revised and updated to consider cloud sourcing risks. A wider service level monitoring must be established to cover areas such as availability, quality and performance improvement. Furthermore, thorough risk analysis has to be performed in particular when the CSP is not a PFS, whether because it is located outside of Luxembourg or it is another entity within the group. In addition, a Cloud Officer should be appointed within the entity managing cloud computing resources. This person will be in charge of monitoring the provided services and should have sufficient knowledge to understand the challenges behind a cloud computing infrastructure, and to be the ultimate guarantor for employees skills at the service provider. The position of the Cloud Officer is similar to the Data Protection Officer as mandated by the GDPR. Regulated institutions should ensure that they have a right-to-audit clause in contracts. They have to verify whether the CSP respects its contractual obligations and to assess if risks are duly managed, data are well protected, access is restricted, continuity and availability are ensured. Over time, the need for this right could be relaxed and in many cases replaced by appropriate third-party assurance reports or certifications. Which independent assurance reports or certifications regarding information security and data protection does our CSP offer? How can we ensure the quality and security of our data?

11 Cloud sourcing 11 Cloud sourcing: a milestone for organizations Many organizations have either adopted or are planning to adopt some form of cloud computing technology. Today, executives and Chief Information Officers (CIOs) are more and more leveraging the cloud to gain competitive advantages. With the recent changes in the geopolitical environment (e.g., Brexit the process by which the United Kingdom withdraws from the EU), and the revised regulatory environment (GDPR, the 17/654 Circular, amendment of Article 41 of the Luxembourg Law of 5 April 1993 on bank secrecy), it is expected that regulated institutions will more and more consider implementing enterprise-wide cloud services under public-, private- or hybrid cloud models. CIOs and executives, along with the benefits that cloud sourcing can deliver, are challenged with new risks that they must account for and manage over time. The key is to balance the risks with the value the cloud service provides to the business. On their journey to build a trusted cloud system, the following 6 key dimensions should serve as blue print for executives: Organization: An organization s risk exposure is affected, in large part, by the users of its cloud ecosystem. Both internal users and CSP staff who have access to the cloud ecosystem can introduce risk. To manage these risks, many organizations choose to update roles and responsibilities. Moving to a cloud-based model represents a shift away from operators of the technology environment to governors of the ecosystem, a new IT operating model that presents different challenges and issues. Technology: Without proper identity and access management (IAM) controls, or the application of segregation of duties, neither the organization nor the CSP will know who has access to which data or application. The underlying technical configuration of the controls that exist in the cloud can make the difference between a trusted ecosystem and an inevitable breach. Besides, as new threats and vulnerabilities emerge, companies need defined processes for anti-virus, patch and vulnerability management.

12 12 Cloud sourcing Data: Maintaining information assets is a challenge for many organizations. To adequately protect information assets, organizations first need to understand what information assets they possess and how valuable they are. This understanding becomes more important as information moves to the cloud, where more users can access it, including CSP staff, third parties and employees. Operations: Moving from an on-premise solution to a cloud solution has a significant impact on IT operations. Organizations can vastly improve their efficiency, provided they take steps to establish governance, address controls related to foundational security, manage physical and environmental risks, and plan for continuity and recovery scenarios. In addition to verifying the operational controls, organizations and CSPs should negotiate a quality control process, including testing and acceptance criteria for each service to ensure the cloud service customers business needs and service-level agreements are met. Audit and compliance: Organizations need to support audit and compliance functions by implementing robust verification and compliance procedures. A practical approach to audit and compliance in the cloud should include a coordinated combination of consistent and defined internal policy compliance, regulatory compliance and independent auditing. Compliance activities should be defined and agreed upon by applicable groups to confirm support. Audit and compliance functions assessing cloud technologies should perform initial data gathering to understand where the cloud is deployed, the cloud service model(s) used and the information or transactions processed in the cloud. Once data is identified, the audit function should establish audit plans and activities, including regularly scheduled independent reviews and assessments. These reviews will address any issues in established policies, procedures or contractual and regulatory compliance. An inventory of the organization s legal, statutory and regulatory compliance should be documented and updated regularly. At a minimum, CSPs should have a third-party assurance report (such as SOC1, SOC2 or SOC3 depending on the needs) or a valid third party certification (such as ISO 27001) as it will provide a recognizable point of reference for auditors and assessors. Governance: Many organizations believe that the responsibility for accountability, oversight and transparency transfers to the CSP when the data does, which is absolutely not the case. Accountability, oversight and transparency are paramount in the cloud ecosystem. Well-developed governance results in scalable programs that are repeatable, measureable, defensible and constantly improving.

13 Cloud sourcing 13 How EY can help: Cloud sourcing is, without any doubt, a complex undertaking fraught with risks and challenges. Some key questions decisions makers and Chief Information Officers might ask are: How to select the right CSP? Where to begin to address CSSF requirements? How to ensure compliance with other Luxembourg domestic Regulations? EY offers a range of privacy assurance and advisory services. We are ready to help our clients assess their sourcing programs against the CSSF requirements, design practical recommendations and help them in the submission of their application to the CSSF. With many successful outsourcing analysis projects, our audit assignments and our reviews of third party assurance reports behind us, we are able to help our clients address the needs of their sourcing programs. Our services include, but are not limited to: Design Identification of cloud service opportunity: developing a cloud-services roadmap and rolling out the IT services strategy Assistance in the assessment and selection of cloud service provider: understand and evaluate CSP capabilities, and work with business and procurement to select the most appropriate provider Contracting: translate business and IT requirements into specific service level agreement, define roles and responsibilities, ensure that audit rights are addressed Execution Gap analysis: identify legal, regulatory and compliance requirements, compare current state with target operating model, propose adjustments and mitigate risks of non-compliance Assistance in the preparation of the application file to be submitted to the regulator Control and certification Review and assess third party certification (ISO/IEC 27001) or third-assurance control (such as SOC1, SOC2 or SOC3 depending on the needs), in order to evaluate design and/or operational effectiveness of security controls in place Perform independent audit of the CSP to verify that both the privacy and security of customer data are ensured, and to assess regulatory compliance

14 14 Cloud sourcing About EY s Advisory Services Improving business performance while managing risk is an increasingly complex business challenge. Whether your focus is on broad business transformation or more specifically on achieving growth and optimizing or protecting your business, having the right advisors on your side can make all the difference. Our 30,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and exceptional client service. We use proven, integrated methodologies to help you solve your most challenging business problems, deliver a strong performance in complex market conditions and build sustainable stakeholder confidence for the longer term. We understand that you need services that are adapted to your industry issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where your strategy and change initiatives are delivering the value your business needs. To find out more about how our Advisory services could help your organization, speak to your local EY professional or a member of our global team, or view ey.com/advisory. Your contacts at EY Luxembourg are: Olivier Maréchal Partner, Financial Services Advisory Leader, EY Luxembourg Olivier.Marechal@lu.ey.com Karim Bouaissi Senior Manager Financial Services Advisory, IT Risk and Assurance EY Luxembourg Karim.Bouaissi@lu.ey.com

15 Cloud sourcing 15 Want to learn more? Insights on governance, risk and compliance is an ongoing series of thought leadership reports focused on IT and other business risks and the many related challenges and opportunities. These timely and topical publications are designed to help you understand the issues and provide you with valuable insights about our perspective. Please visit our Insights on governance, risk and compliance series at ey.com/grcinsights The cloud is ready for you. Are you ready for the cloud? Path to cyber resilience: Sense, resist, react When finance moves into the cloud, will CFOs sleep better at night? EU General Data Protection Regulation: Are you ready? Financial Services connected? Responding to the new regulatory environment

16 EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com Ernst & Young S.A. All Rights Reserved. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice. ey.com/luxembourg