cloud computing for financial institutions luc maquil luc ... · cloud computing for financial...

1BHS Services S.A.. All rights reserved.

Luxembourg, 9th May 2018

Cloud Computing for financial institutions

Luc Maquil

[email protected]


EU-Wide harmonization effort with fast adoption in Luxembourg

Circular 17-654 (Cloud Circular)

May 2017 (13 months earlier)

EBA Cloud Recommendations

Published December 2017

Apply on 1st July 2018

1. Complement existing general outsourcing guidelines for the specific context ofcloud outsourcing

2. Promote guidance to institutions for the use of cloud services in Luxembourg(CSSF) and EU-Wide (EBA)

3. Harmonize supervisory expectations across the EU for institutions adopting cloudcomputing.


Differences between General Outsourcing and Cloud Outsourcing

Customer Data

Cloud

Data

Application

Operation

System

Virtualization

Network

Physical

Customer Data

and

Infrastructure

General Outsourcing / 17-656 Cloud Outsourcing / 17-654

The outsourcing partner is in charge of

resource provision and operation and

generally needs access to the

customer data.

PSF License needed !

The Cloud Resource Provider does not

need access to the customer data.

No PSF License needed !

The Cloud Resource Operator has

access to the data. (a PSF license

needed if in Lux)vs


We can finally unleash the public cloud !


Outline of the 17-654 Circular

1. Applicable only to real clouds (as defined by NIST)

2. Strict separation between resource provision and cloud operation.

3. Governance, Risk, Business Continuity and Disaster Recovery, Information Security

4. Training is mandatory (Cloud Officer and trained team)

5. Contractual and legal terms (Right to Audit, SLA, Outsourcing Policy)

Materiality

Assessment

Notification

Approval


Materiality Assessment

CSSF EBA

…shall be deemed to be "material” : Institutions should perform this assessment ofactivities' materiality on the bases the CEBS guidelinesand taking into account all of the following:

(a) Any activity necessary for sound and prudent riskmanagement

(b) The institutions ability to meet the regulatoryrequirements

(c) The ability to continue its operations

(a) The criticality and inherent risk profile of theactivities to be outsourced

(b) The direct operational impact of outages, andrelated legal and reputational risks

(c) The impact that any disruption of the activitymight have on the institution's revenue prospects

(d) The potential impact that a confidentiality breachor failure of data integrity could have on theinstitution and its customers

A materiality assessment can be realized as part of an outsourcing project (defined

by the Outsourcing Policy).


Contractual terms and right to audit

Paragraph Description Comments

30

Jurisdiction EU

Datacenter Location in EU for at least 1 Datacenter

For world wide operators

Contract between ISCR and Operator If inside group, an inter group agreement is needed

Roles and Responsibilities defined

SLA defined

Data Deletion on contract termination A link to GDPR

Incident Management

Access to Documentation

28Customer Consent for Outsourcing of Data and or Processing.

It is advisable to change at the same time then GDPR

32Unconditional Right To Audit from Regulator and Customer

If information not available through available.


1. The institution (ISCR) operates the cloud.

ISCR

(signatory of the Cloud Agreement and

software licensing agreement)

Cloud Resource Provider

1. Cloud Officer provided by the ISCR and as well resources skilled to run cloudoperations.

2. The ISCR is the signatory.3. The Cloud Services Provider can be in Luxembourg or abroad and does not need to

have a PSF license.

Best applicable to highly standardized workload !


2. The institution mandates a support PSF to run cloud operations

Client (ISCR)

Signatory of IT Outsourcing

Cloud Operator PSF

Signatory of the Cloud Agreement

Cloud Resource Provider

In Lux

1. The ISCR outsources IT Cloud operations to the Operator.2. If in Luxembourg, the Operator needs to be PSF.3. The Operator or the ISCR may be the signatory of the cloud contract4. If the Operator is the signatory, a specific approval is needed by the CSSF.


3. The cloud operator is abroad and non-PSF

Client (ISCR)

Signatory of IT Outsourcing (Operations)

Cloud Operator non-PSF

Signatory of the Cloud Agreement

- Cloud Resource Provider

Outside of Lux

1. The ISCR outsources operations to the Operator which is abroad (a non-PSFcompany) or a member of the group.

2. A thorough risk assessment is needed for the cloud operations.

3. The Operator or the ISCR may be the signatory of the cloud contract


4. Usage of Expert resources abroad (Services Agreement)

Cloud Advisor (Expert)

Software Provider or IT Advisor

Client ISCRCloud Resource

Provider

Cloud Operator(Signatory of the Cloud

Agreement)

PSF if in Lux non PSF if abroad

An external cloud advisor such as a Software Provider or an IT Advisor may advise theoperator or the ISCR, as long that there is no delegation of responsibility.


Approach

Actions

■ Collection of the Documentation and

Workshops.

■ Analysis of the Target Operating Model

including Business Model, Technology,

Organization and Processes.

■ Gap Analysis and creation of roadmap

/ Action List.

Actions

■ Assembling of the Approval or Notification

Document

■ Pre-Checking the Application File with the

CSSF (Only if needed).

■ Discussions and alignments with the Cloud

Resource Provider and/or Operator.

Actions

■ Hand-Over of the file to the CSSF.

■ Facilitating the Question and Answer

Process.

1 2 3

Deliverable

■ Proposed actions, recommendations

Deliverable

■ Approval or Notification Document

Analysis Writing Filing


Thank You!

Luc Maquil

[email protected]

mailto:[email protected]

cloud computing for financial institutions luc maquil luc ... · cloud computing for financial...

Documents