The vision of DNB on thesupervision of cloud-computingCBCS: Information Technology Service Management Seminar

Evert Koning, 18 November 2014

Financial industry in the Netherlands

Institution type Number

Banking 100

Insurance companies 300

Pension funds 350

Investment firms 350

Trust and payment firms 400

Total 1500

2

Strategy

Supervision focusses on protection of interests of

creditors/consumers stability and integrity of the financial system

This means that Supervision must be keptposted and understand what institutionsare doing and how they manage andcontrol the risksare doing and how they manage andcontrol the risks

Timely identify relevant developments &threats and advise on them

3

Strategy of ICT supervision

ICT Focus Strategy withdifferentation

An institution of somemagnitude is not viablewithout ICT

Supervision needs tomake certain that theinstitutions recognisemake certain that theinstitutions recogniseand adequately manageICT-related risks

4

Mission statement of EC-ICT

Was

To offer the maximum addedvalue for general Supervisionspecific as for the Central Bankas a whole by means of effectiveand efficient use of people andtools with the focus on the

5

tools with the focus on thedifferent expertises within thedepartment.

Is

To achieve, through effectiveand efficient means, adequatecontrol of IT risks by supervisedinstitutions

Supervision cycle

6

Assessment of risks

7

Organisation EC-ICT

• 10 IT examiners

• No hierarchy

• 3 levels of experience

• Flexibility

• Account structure T5 and T4

8

Cloud computing

Cloud computing qualifies as a form ofoutsourcing. So the same legal requirementsapply:

risk’s need to be demonstrably known and mitigated

Outsourcing to third parties may not obstruct

supervision by DNB

http://www.toezicht.dnb.nl/en/binaries/Circulaire%2

0cloud%20computing_tcm51-224828.pdf

9

Legal Framework Outsourcing

Specific rules for outsourcing (6articles)

Outsourcing is not allowed if it obstructsprudential supervision on the institution (art. 27)

Outsourcing is not allowed if it harms theOutsourcing is not allowed if it harms theindependent internal audit & compliance process(art. 28)

The institution needs to have a sourcing strategyand detailed procedures in place to manage theoutsourcing(art. 29)

10

10

Legal Framework Outsourcing

Specific rules for outsourcing (6articles)

The institution needs to have sufficientprocedures, knowledge & information to assessthe outsourced processes (art. 30)

a sufficient written outsource agreement ismandatory (art. 31)

Above mentioned articles are not applicable if theprocesses are outsourced to a company inanother country that is part of the group of thefinancial institution (art. 32)

11

11

Legal Framework

Specific rules for riskmanagement(4 articles)

Policy regarding control ofrisks is documented indetailed procedures andmeasures to control risks(art. 23) Systematic and independent Systematic and independent

risks analysis (art. 23) Institution supervises

compliance of proceduresand measures as mentionedin art. 23 (art. 24) Internal developed models

are assessed and validated(art. 25) The treasurer of the

institution has proceduresand measures in place toensure the financial position(art. 26)

12

12

Definition cloud computing

NIST definition of cloud computing (ref.SP800-145):“Cloud computing is amodel for enabling ubiquitous,convenient, on-demand network accessto a shared pool of configurablecomputing resources (e.g., networks,servers, storage, applications, andservices) that can be rapidly provisionedand released with minimal managementand released with minimal managementeffort or service provider interaction.This cloud model is composed of fiveessential characteristics, three servicemodels, and four deployment models”.

13

Attentionpoints cloud computing

Where are my (back-up) data?

Who can access my data?

How do I know that performance is as contracted?

Exit from cloud provider: is all data wiped?

Right to audit also for subcontractor?

14

Cloud computing / International aspects

International agreement on cloud computing

Letters on cloud computing: APRA, MAS, DNB, US,Spain and Canada All countries have the same attitude w.r.t. cloud

computing

Some countries are more strict

Bron:

http://www.toezicht.dnb.nl/binaries/Cloud%20com

puting_tcm50-224828.pdf

15

International agreement

Common understanding ITSG

Cloud computing qualifies as outsourcing

Cloud computing is defined by NIST

Right to audit of Supervisors is obliged in contracts

Email is considered as part of critical businessEmail is considered as part of critical business

16

Cloud computing & DNB

Journey with Microsoft:

circulaire cloud computing 6 December 2011 (English 10

January 2012*)

Contact with financial institution about Microsoft cloud

services.

Contact with Microsoft

Contact with Microsoft and financial institutionContact with Microsoft and financial institution

Agreement with Microsoft NL -> involvement Microsoft

EMEA and US

Agreement with Microsoft US

Implementing Microsoft office 365 Financial institution

Visit Dublin datacentre

Visit Microsoft Campus Redmond

*http://www.toezicht.dnb.nl/en/binaries/Circulaire%20cloud%20computing_tcm51-224828.pd

17

Agreement with Microsoft

http://www.toezicht.dnb.nl/en/7/51-226970.jsp 18

DNB & Cloud computing

Symposium Cloud Computing 2013

Regulator view

Assurance

Lessons learned by Service providers

Lessons learned by Financial organisations

Market perspective

http://www.toezicht.dnb.nl/7/50-228265.jsphttp://www.toezicht.dnb.nl/7/50-228265.jsp

Risk analysis framework based on Enisa*:

http://www.toezicht.dnb.nl/binaries/Sjabloon%20cloud%20com

puting%20%20risicoanalyse_tcm50-228202.pdf

* http://www.enisa.europa.eu/activities/risk-

management/files/deliverables/cloud-computing-risk-assessment

19

Cloud computing – right to examine

20

Questions?

Evert KoningOperational Risks & Data quality

Telephone: +31 20 524 2428Mobile: +31 6 524 96 399E-mail: : e.koning@DNB.NL

21