EBA guidance on the Cloud
What to consider from regulatory (outsourcing) and security (cyber) point of view
In December 2017, the European banking Authority (EBA) launched its final guidance for the use of cloud service providers by financial institutions.
The EBA Recommendations clarify the EU-wide supervisory expectations if institutions intend to adopt cloud computing, addressing five key areas:
- Data security and systems
- Location of data and data processing
- Access and audit rights
- Chain outsourcing
- Contingency plans and exit strategies
The recommendations will apply from 1 July 2018 and fit into the broader EBA work on FinTech since cloud computing is an important enabling technology leveraged by financial institutions to deliver innovative financial products and services.
The recommendations are reflecting the supervisory expectations for this particular type of outsourcing allowing financial institutions to leverage the benefits of using cloud services, while ensuring the necessary risk control management and regulatory compliance.
A general outsourcing guideline has been in place since 2006 in the form of the Committee of European Banking Supervisors guidelines (CEBS guidelines), on outsourcing. The CEBS guidelines already provide guidance on issues such as information confidentiality and system availability. The final recommendations of EBA elaborate on the need for integrity and traceability, establishing an approach to assessing security when institutions outsource activities to cloud service providers. The recommendations aim to address heterogeneity in supervisory expectations regarding the technical security of cloud computing services.
The recommendations focus on the most important areas for further supervisory alignment and/or clarification identified by stakeholders. The aims are:
- provide the necessary clarity for institutions should they wish to adopt and reap the benefits of cloud computing while ensuring that risks are appropriately identified and managed
- foster supervisory convergence regarding the expectations and processes applicable in relation to the cloud
Cloud services can offer a number of advantages, such as economies of scale, flexibility, operational efficiencies and cost-effectiveness, they also raise challenges in terms of data protection and location, security issues and concentration risk, not only from the point of view of individual institutions but also at industry level.
Despite the benefits of public-cloud platforms, persistent concerns about cybersecurity for the public cloud have deterred companies from accelerating the migration of their workloads to the cloud. Furthermore, the financial institutions have moved beyond the question “Is the cloud secure?”. Now they are asking how can consume cloud services in a secure way, given that many of their existing security practices and architectures may be less effective in the cloud.
Understandably, companies are experimenting with a variety of designs for controls, and, given the pace of progress, cybersecurity executives anticipate considerable change to these controls over the next three years.
The gain of the cloud services is perceived in Romania as well. The digitization and innovation in the field of financial assistance represents a major concern both for relevant authorities of surveillance and regulatory. Contingency plans and exit strategies form an important part of any cloud outsourcing arrangement. The recommendations of EBA provide guidance for institutions on the contractual and organisational arrangements for contingency plans and exit strategies that should be in place in the context of cloud outsourcing.
How can we help?
The requirement to secure today’s network services is no longer focused on securing the perimeter alone. ‘Defence in depth’ is the challenge organizations are facing. Additionally, the frequency and level of sophistication of attacks has grown spectacularly over the last couple of years, whilst at the same time, the level of skills and knowledge required to carry out these attacks has decreased. In order to keep up with the risk of attacks, organisations need to utilise professional expertise to secure their infrastructure and applications. Deloitte offers services that help mitigating the risk of security breaches:
Help banks navigate through the transformation of the banking business model in line with the existing recommendations on outsourcing
Assessment of the risks posed by security vulnerabilities in your systems
Infrastructure penetration testing
Penetration testing to simulate a hacker attack on your critical network infrastructure
Application penetration testing
Assessment to determine flaws in the applications that may allow unauthorized access or unauthorized transactions
Red Teaming Operations
A holistic approach to information security assessments. A realistic attack that generally addresses three elements of information security that are linked together: Physical, Cyber and Human/
Review of your servers configuration to determine weaknesses
Application Security Testing (AST)
We leverage static application security testing technology which enables the client to be one step ahead, with forty percent portfolio coverage versus five percent portfolio coverage using the traditional approach.
- Managed Security Monitoring
This managed service monitors your Data and IT Landscape 24/7. Collaboratively, we establish what your critical digital assets are, and then we assess to which risks they are exposed and respond to threats immediately.
- Phishing as a Service
With Phishing as a Service, we train your employees to detect phishing scams and raise security awareness. We use different scenarios to test how your employees respond to phishing e-mails.
- Threat Intelligence Analytics (TIA)
Looks for potentially threatening events taking place outside the organisation’s perimeter and provides custom insights in line with the organisation’s strategic and intelligence requirements.
- Social Listening & Analytics (SLA)
Empowers organisations to do more than merely react to social media. We enable them to protect themselves, leverage opportunities and learn the risks form these sources.
- Cyber Gamification Platform (Hackazon)
This cloud-based learning platform is accessible 24/7 and continuously updated. In this online lab, we use gamification to improve the technical cyber security skills of your employees. The curriculum can be tailored to your organisation.
- Cloud DDoS Protection
Cloud-based anti-DDoS and WAF protection for infrastructures, websites and DNS servers
- DDoS Simulation
DDoS attack simulations prepared to verify the correct protection and analysis of detected gaps.
- Cyber incident response
Through our blend of people, methodology and technology, we can provide rapid reporting and an understanding of the systems attacked to help triage the data at risk.
- Cyber Forensic
Predict, detect, and respond to the risks and vulnerabilities that come from global corruption, litigation, fraud, financial mismanagement, and other threats.
- Cyber Academy
We deliver online and on-site technical training and awareness programs to clients and internal practitioners via a dedicated EMEA Cyber Academy Online Platform. This platform is accessible 24/7.
- Cyber Risk Management and Compliance
With our experience in diverse situations with managing cyber risk and compliance, we can help your organisation to: define tailored cyber risk management frameworks; set and implement cyber control frameworks; and ensure compliance through cyber security regulations.