Public vs private cloud for regulated entities

PwC

DC2: Restricted use

The cloud is for everyone … but not for everything

Public vs Private Cloud for Regulated Entities

2

March 2017

PwC

DC2: Restricted use

Opportunity … enabler

3

March 2017Public vs Private Cloud for Regulated Entities

Accessibility

Low Maintenance

Low/NoCAPEX

Flexibility

Dynamic

SAAS

PAASCo-

hosting

IAASCo-

location

Public

Hybrid

PrivateAgility

PwC

DC2: Restricted use

Rights … concerns … challenges

Public vs Private Cloud for Regulated Entities

4

March 2017

Location?

Access?

Seizure?

Stability?

Ownership?

Confidentiality?

SAAS

PAASCo-

hosting

IAASCo-

location

Public

Hybrid

Private

Auditability?

PwC

DC2: Restricted use

Is regulation slowing you down?

Public vs Private Cloud for Regulated Entities

5

March 2017

PwC

DC2: Restricted use

Many regulated sectors, Many AuthoritiesCommon principles

Public vs Private Cloud for Regulated Entities

6

March 2017

Banking

Investment services

Insurance

Remote Gaming

Health

Pharmaceuticals

Telecommunications

The professions (Legal; Engineering; Accounting and Audit; …)

MFSA

MGA

PwC

DC2: Restricted use

Does not impair the supervision of the authority

Compliance with the regulations must not be undermined

None of the conditions to which the Licensed Entity is subject must be removed or modified

Senior management does not delegate its responsibility

The relationship and obligations towards clients must not be altered

Capability to resume direct control over an outsourced activity, in extremis

Many regulated sectors, Many AuthoritiesCommon principles

Public vs Private Cloud for Regulated Entities

7

March 2017

PwC

DC2: Restricted use

50

55

60

65

70

75

80

85

90

95

Public Cloud Private Cloud Hybrid Cloud

Today, cloud is not a novelty

improved disaster recovery

better performance for global users

superior infrastructure manageability and flexibility

Public vs Private Cloud for Regulated Entities

8

March 2017

Percentages of US enterprises using public, private and hybrid clouds.

(Source: Evaluator Group Cloud Trends Analysis based on publicly available survey data.

PwC

DC2: Restricted use

Private hosted cloud for better control?

Main resistance to cloud computing:

Security

Regulation

Data protection

Public vs Private Cloud for Regulated Entities

9

March 2017

Actually, cloud service providers often enhance overall security

Generally security is shared: host and tenant are responsible for different parts of the stack

Application

Platform

Infrastructure

Operating System

Hypervisor

Hardware + network

HOSTTENANT

PwC

DC2: Restricted use

Security An improvement or a concern?

67%

Public vs Private Cloud for Regulated Entities

10

March 2017

Hosted private cloud adopters listed improved security or ability to meet compliance as its

top driver but also as its top concern

PwC

DC2: Restricted use

Safeguards

Recognise that no form of outsourcing is risk free and that risk is carried by the outsourcing entity

Due diligence in choosing cloud provider

Certifications

Location

Monitor performance and stability

Implement and test contingency plans

Consultation with the authority what alternative measures could adequately mitigate the risks involved

Public vs Private Cloud for Regulated Entities

11

March 2017

PwC

DC2: Restricted use

Contractual tips

Exit management (planned + unplanned)

Data portability

Performance measures/service levels

Confidentiality/secrecy/data protection

Chain-outsourcing obligations

Data breach notification obligations

Supervisory authority and auditor rights [data + premises]

Change in structure/ownership triggers

Public vs Private Cloud for Regulated Entities

12

March 2017

PwC

DC2: Restricted use

Branded Trust

Public vs Private Cloud for Regulated Entities

13

March 2017

Forecast:Mostly cloudy

This presentation has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining

specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law,

PricewaterhouseCoopers, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on

the information contained in this publication or for any decision based on it.

Copyright © 2017 PricewaterhouseCoopers. All rights reserved. PwC refers to the Malta member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see

www.pwc.com/structure for further details.