ESMA has published its cloud outsourcing guidelines that will help firms identify and monitor the risks related to these arrangements.
June 4 2020 | AtoZ Markets – The European Securities and Markets Authority (ESMA), has published a consultation paper on guidelines on outsourcing to cloud service providers, the securities markets regulator announced today.
What is the purpose of ESMA cloud outsourcing guidelines?
According to the announcement, the guidelines’ purpose is to provide guidance on the outsourcing requirements applicable to financial market participants. This is important especially when they outsource to cloud service providers.
They aim specifically to help firms and competent authorities identify, address, and monitor the risks and challenges related to cloud outsourcing arrangements.
“Cloud outsourcing can bring benefits to firms and their customers, for example reduced costs and enhanced operational efficiency and flexibility. It also raises important challenges and risks that need to be properly addressed, particularly in relation to data protection and information security,” Steven Maijoor, Chair, said.
“Financial markets participants should be careful that they do not become overly reliant on their cloud services providers. They need to closely monitor the performance and the security measures of their cloud service provider and make sure that they are able to exit the cloud outsourcing arrangement as and when necessary,” he added.
The proposals will help firms understand and mitigate the risks that they face when outsourcing to cloud service providers.
What the proposed guidelines entail
The guidelines set out the governance, documentation, oversight, and monitoring mechanisms that firms should have in place. It also outlines the assessment and due diligence to take before outsourcing.
They also include guidance on the minimum elements that outsourcing and sub-outsourcing agreements should include. Furthermore, the guidelines include the exit strategies and the access and audit rights that should be catered for.
Additionally, the guidelines set out the notification to competent authorities and the supervision by competent authorities.
ESMA said that the proposed guidelines are consistent with the recommendations on outsourcing to cloud service providers published by the European Banking Authority (EBA) in February 2017 and subsequently incorporated into revised EBA guidelines on outsourcing arrangements in February 2019, and the guidelines on cloud outsourcing published by the European Insurance and Occupational Pensions Authority (EIOPA) in February 2020.
The consultation is open until September 01, 2020. It seeks feedback from both national competent authorities and financial market participants that use cloud services provided by third parties.
Think we missed something? Let us know in the comments below.