This blogpost covers Regulatory Consistency in Cloud Due Diligence Guidance – particularly important right now because as changes to third party risk management accelerate in a COVID 19 environment, organizations already considering increased use of the cloud will most likely be further motivated by the heavily promoted increased resilience cloud service providers (CSPs) offer. In the recessionary environment we’re now seeing, the combination of improved resilience and lower costs (both human and capital) will rightly sway many toward the cloud.
Especially during times of rapid change, consistent regulatory guidance is important. Where guidance varies across international boundaries, companies operating in multiple geographies rightly wonder which guidance is most appropriate. The stage is set for such a situation in regard to cloud due diligence requirements and how those requirements should be embedded into financial services contracts. Regulators should quickly address that divergence.
The OCC’s release of its “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29” (2020-10) in early March was notable for its drill-down on two cloud related questions:
- “Does a company that provides a bank with cloud-computing have a third-party relationship with the bank? If so, what are the third-party risk management expectations?”
- “What type of due diligence and ongoing monitoring should be conducted when a bank enters into a contractual arrangement in which the bank has limited negotiating power?”
First things first: The OCC’s March guidance says “Third-party risk management for cloud computing services is fundamentally the same as for other third-party relationships.”
Regarding the second point about due diligence expectations when outsourcers have limited negotiating power: This should be viewed in terms of a widening gap between OCC cloud services due diligence expectations on one hand and those of the European Banking Authority (EBA) on the other.
In the United States the highly influential Cloud Security Alliance (CSA) guidance, as we’ll see, assumes that outsourcers may not be able to negotiate what due diligence techniques will be included in CSP contracts. These contracts typically limit the types of due diligence operations outsourcers can expect to accomplish. In its latest guidance (CSA Security Guidance for Critical Areas of Focus in Cloud Computing, v.4) the organization says: “Don’t assume you can effectively negotiate contracts with a cloud provider —but this also shouldn’t necessarily stop you from using that provider.”
And the OCC – in updated language from March of this year – seems to agree. The OCC recognizes that an FI may not be able to achieve the kind of due diligence processes it would typically use for other critical third parties. In these circumstances, the OCC urges that the FI “retain appropriate documentation of efforts to obtain information and related documents.” The OCC statement says – in effect – when your bank examiner comes to visit, make sure you can produce records to show how hard you tried to achieve the same due diligence rights you’d expect with any other third party service provider.
Now, let’s look at expectations on the other side of the pond.
European Banking Authority (EBA) regulation requires CSPs to “provide to the [outsourcing] institution (and/or it’s representative) full access to its business premises (head offices and operations centres), including the full range of devices, systems, networks and data used for providing the services outsourced (right of access). It goes on to say CSP should “confer to the institution, to any third party appointed for that purpose by the institution and to the institution’s statutory auditor, unrestricted rights of inspection and auditing related to the outsourced services (right of audit).”
Most importantly, however, the EBA says: “The effective exercise of the rights of access and audit should not be impeded or limited by contractual arrangements.”
In other words, CSPs in the EU are expected to conform to the same due diligence standards as any other outsourcer, with the caveat that when due diligence operations potentially compromise another client’s environment, alternative ways should be agreed upon to provide a similar level of assurance.
There is clearly no agreement on what should constitute “appropriate” CSP due diligence and related contractual guidance. Some highly respected security analysts have argued that the kind of complete access requirements outlined in the EU standard are not appropriate to today’s scale cloud environments were multiple data centers across wide international boundaries are the nom. Others object to the lack of leverage all but the largest outsourcers enjoy in negating CSP due diligence agreements and the apparent regulatory acceptance of that reality.
As multinational FIs and other regulated institutions move to the cloud at an accelerated pace, regulatory harmonization across the pond should be a priority. The road to enlightened cloud due diligence regulation might best be paved by an international working group of interested parties (including regulators) working to propose a common standard that assures appropriate ongoing CSP due diligence transparency, however that’s defined.
U.S Guidance Detail Cloud Security Alliance Contracts Guidance (Source: Cloud Security Alliance Security Guidance For Critical Areas of Focus in Cloud Computing, v.4, Page 35)
- “Understand how a contract affects your governance framework/model.”
- “Obtain and review contracts (and any referenced documents) before entering into an agreement.”
- “Don’t assume that you can effectively negotiate contracts with a cloud provider—but this also shouldn’t necessarily stop you from using that provider.”
- “If a contract can’t be effectively negotiated and you perceive an unacceptable risk, consider alternate mechanisms to manage that risk (e.g. monitoring or encryption).”
OCC Guidance (2020-10) Does a company that provides a bank with cloud computing have a third-party relationship with the bank? If so, what are the third-party risk management expectations?
- Consistent with OCC Bulletin 2013-29, a bank that has a business arrangement with a cloud service provider has a third-party relationship with the cloud service provider. Third-party risk management for cloud computing services is fundamentally the same as for other third-party relationships. The level of due diligence and oversight should be commensurate with the risk associated with the activity or data using cloud computing. Bank management should keep in mind that specific technical controls in cloud computing may operate differently than in more traditional network environments.
- When using cloud services, bank management should have a clear understanding of, and should document in the contract the controls that the cloud service provider is responsible for managing and those controls that the bank is responsible for configuring and managing. Regardless of the division of control responsibilities between the cloud service provider and the bank, the bank is ultimately responsible for the effectiveness of the control environment.”
- What type of due diligence and ongoing monitoring should be conducted when a bank enters into a contractual arrangement in which the bank has limited negotiating power?
- “Some companies do not allow banks to negotiate changes to their standard contract, do not share their business resumption and disaster recovery plans, do not allow site visits, or do not respond to a bank’s due diligence questionnaire. In these situations, bank management is limited in its ability to conduct the type of due diligence, contract negotiation, and ongoing monitoring that it normally would, even if the third-party relationship involves or supports a bank’s critical activities….”
- “When a bank does not receive all the information it is seeking about a third party that supports the bank’s critical activities, bank management should take appropriate actions to manage the risks in that arrangement. Such actions may include:
- determining if the risk to the bank of having limited negotiating power is within the bank’s risk appetite.
- determining appropriate alternative methods to analyze these critical third parties (e.g., use information posted on the third party’s website).
- being prepared to address interruptions in delivery (e.g., use multiple payment systems, generators for power, and multiple telecom lines in and out of critical sites).
- performing sound analysis to support the decision that the specific third party is the most appropriate third party available to the bank.
- retaining appropriate documentation of efforts to obtain information and related decisions.
- confirming that contracts meet the bank’s needs even if they are not customized contracts.
EU Guidance Detail Access and audit rights for institutions.
- On the basis of guideline 8(2)(g) of the CEBS guidelines and for the purposes of cloud outsourcing, outsourcing institutions should further ensure that they have in place an agreement in writing with the cloud service provider whereby the latter undertakes the obligation:(a)to provide to the institution, to any third party appointed for that purpose by the institution and to the institution’s statutory auditor full access to its business premises. (head offices and operations centres), including the full range of devices, systems, networks and data used for providing the services outsourced (right of access);(b)to confer to the institution, to any third party appointed for that purpose by the institution and to the institution’s statutory auditor, unrestricted rights of inspection and auditing related to the outsourced services (right of audit).
- The effective exercise of the rights of access and audit should not be impeded or limited by contractual arrangements. If the performance of audits or the use of certain audit techniques might create a risk for another client’s environment, alternative ways to provide a similar level of assurance required by the institution should be agreed on
- The outsourcing institution should exercise its rights to audit and access in a risk-based manner. Where an outsourcing institution does not employ its own audit resources, it should consider using at least one of the following tools:
- (a)Pooled audits organised jointly with other clients of the same cloud service provider, and performed by these clients or by a third party appointed by them, in order to use audit resources more efficiently and to decrease the organisational burden on both the clients and the cloud service provider.
- (b)Third-party certifications and third-party or internal audit reports made available by the cloud service provider, provided that:
- :i.The outsourcing institution ensures that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres , etc.) and the controls identified as key by the outsourcing institution.
- ii.The outsourcing institution thoroughly assesses the content of the certifications or audit reports on an ongoing basis, and in particular ensures that key controls are still covered in future versions of an audit report and verifies that the certification or audit report is not obsolete.
- iii.The outsourcing institution is satisfied with the aptitude of the certifying or auditing party (e.g. with regard to rotation of the certifying or auditing company, qualifications, expertise, reperformance/verification of the evidence in the underlying audit file).
- iv.The certifications are issued and the audits are performed against widely recognised standards and include a test of the operational effectiveness of the key controls in place.
- v.The outsourcing institution has the contractual right to request the expansion of scope of the certifications or audit reports to some systems and/or controls that are relevant. The number and frequency of such requests for scope modification should be reasonable, and legitimate from a risk management perspective.
Considering that cloud solutions have a high level of technical complexity, the outsourcing institution should verify that the staff performing the audit – being its internal auditors or the pool of auditors acting on its behalf, or the cloud service provider’s appointed auditors – or, as appropriate, the staff reviewing the third-party certification or service provider’s audit reports have acquired the right skills and knowledge to perform effective and relevant audits and/or assessments of cloud solutions.
Source: EBA/REC/2017/03, December 20, 2017.