Europe’s markets regulator has warned financial markets participants not to become “overly reliant” on their cloud services providers — and urged them to furnish evidence of a clearly tested cloud exit strategy.
The comments came in a draft 29-page European Securities and Markets Authority (ESMA), consultation paper published today (June 3, 2020).
This sets out cloud guidelines for trading firms, designed to help them “identify, address and monitor” the risks ESMA sees with with “outsourcing” production applications or any other services to the cloud.
ESMA Paper Follows EBA Guidelines
European regulators and policy makers have remained wary of the “concentration risk” posed by the wholesale shift of services to US-based cloud firms.
Indeed, the paper was published as Europe plans to reveal details Thursday of its own indigenous cloud services provider, dubbed “Gaia-X”. This is being designed to offer a home-grown counterweight to US-owned hyperscalers, amid growing discomfort in European capitals over their dominance.
Among ESMA’s guidelines in the paper: a range of security demands unlikely to surprise any experienced CISO.
For example, it wants market actors to ensure “a clear allocation of information security roles and responsibilities between the firm and the CSP [cloud services provider] including in relation to threat detection, incident management and patch management”.
(Shared responsibility still throws up issues in many enterprises…)
Other security recommendations include guidance on network and application logic segmentation.
As ESMA notes: “Consider appropriate levels of segregating networks (for example tenant isolation in the shared environment of the cloud, operational separation as regards the web, application logic, operating system, network, Data Base Management System (DBMS) and storage layers) and processing environments (for example test, User Acceptance Testing, development, production).”
An Exit Strategy
What stands out is the need to demonstrate a clear exit strategy.
Firms should “develop and implement exit plans that are comprehensive, documented and sufficiently tested”, ESMA suggested.
They should also “ensure that the cloud outsourcing written agreement includes an obligation for the CSP to orderly transfer the outsourced function and all the related data from the CSP and any sub-outsourcer to another CSP indicated by the firm or directly to the firm.”
(It is requesting feedback on this and other points by September 1, 2020).
Businesses should be also “perform a business impact analysis that is commensurate to the function outsourced to identify what human and other resources would be required to implement the exit strategy” ESMA added.
The watchdog’s chairman Steven Maijoor noted in a corresponding statement: “Cloud outsourcing can bring benefits to firms and their customers, for example reduced costs and enhanced operational efficiency and flexibility. It also raises important challenges and risks that need to be properly addressed, particularly in relation to data protection and information security.
“Financial markets participants should be careful that they do not become overly reliant on their cloud services providers.”
Dr Richard Harmon, MD of Financial Services at enterprise data specialist Cloudera, told Computer Business Review: “The issue from the regulator side – in my opinion – is largely about the lack of transparency into the potential exposures. So without any data on which critical applications are running in which cloud provider they are essentially blind on potential systemic cloud concentration risk effects.”
He added: “Furthermore, they can utilise this data to develop simulation models that can evaluate what types of contagion effects can potentially result from a wide range of disruptions triggered by hiccups at one or more of the public cloud providers. This will help them quantify the risks, be able to develop much more effective contingency plans and evaluate the effectiveness of potential policies to minimise the impact of any disruption.”
ESMA says the proposed guidelines are consistent with similar recommendations published by the European Banking Authority and incorporated into EBA guidelines in February 2019; ditto for guidelines from the European Insurance and Occupational Pensions Authority published in February 2020.
What are you thoughts on the consultation paper? Over-zealous? Not rigorous enough? Missing a key issue or concern? We’d love to hear them. Get in touch with ed dot targett at cbronline dot com