Menu
undefined undefined
My dashboard
My Content
My products (0) My insights (0) My events (0) My contacts (0)

ESMA consultation on cloud outsourcing guidelines

The European Securities and Markets Authority (ESMA) published a consultation paper on outsourcing to cloud service providers.

16 July 2020

Publication

Introduction

On 3 June 2020, ESMA published a consultation paper, setting out draft guidelines on outsourcing to cloud service providers (Guidelines). Aspects of the draft Guidelines are aligned to the recent EBA Guidelines on Outsourcing that are being implemented in credit institutions and other entities in scope of EBA regulation. However, the Guidelines will, once implemented, apply to a much wider range of firms, including investment firms and credit institutions when carrying out investment services and activities, AIFMs, UCITS management companies, depositaries of AIFs and UCITS, CCPs, trade repositories, data reporting services providers and market operators of trading venues, CSDs, credit rating agencies, securitisation repositories and benchmark administrators.

The closing date for feedback on the consultation is 1 September 2020. ESMA expects to publish the final Guidelines within six to twelve months and they will apply to firms from 30 June 2021.

As the Guidelines will not come into effect until after the scheduled end of the Brexit transition period, their applicability to UK firms is not yet certain. The FCA has noted, in respect of ESMA guidelines generally, that it may consider those produced post-transition, and that where it considers it appropriate it will set out its expectations for UK firms. In any event, firms with EU affiliates will need to ensure compliance with the Guidelines, once implemented.

The draft Guidelines

We have set out below some key take-aways from the draft Guidelines.

As with much of the regulatory guidance on cloud/outsourcing more generally, there is a significant emphasis in the draft Guidelines on putting systems and processes in place to properly select, contract with, keep a register (including the prescribed information) of, and oversee, cloud suppliers. An absence of these measures – for example if cloud outsourcing is perceived as simply an IT process without legal & compliance involvement – poses a significant risk to firms. At the same time, it takes resolve and clarity of thought to apply these systems and processes when suppliers often present their offerings as take it or leave it and there are operational benefits of implementing them.

The key challenges for in-scope firms are to set up the systems and processes to achieve compliance and to have the resolve to implement them under pressure.

ESMA notes that national competent authorities should have regard to the principle of proportionality when supervising compliance with the Guidelines. A particular focus is placed on the outsourcing of critical or important functions.

Guideline 1. Governance, oversight and documentation

Key take-aways:

  • establish a defined cloud outsourcing strategy;

  • establish as an outsourcing oversight function or designate a senior
    staff member who is directly accountable to the management body (use
    of cloud services should not be viewed purely as an IT matter);

  • maintain an updated register of information on all its cloud
    outsourcing arrangements, distinguishing between the outsourcing of
    critical or important functions and other outsourcing arrangements
    and including pre-outsourcing due diligence; and

  • ESMA expresses concern that some firms may feel little accountability
    for outsourced functions and may not monitor them to the extent
    expected. While there may be practical challenges with effectively
    monitoring large public cloud operators such as Amazon Web Services,
    Google, Microsoft and others, through a combination of due diligence
    (on which we comment further in relation to Guideline 2), reviewing
    periodic reports which are generated about cloud services providers
    (such as SOC1, SOC2 and SSAE 18 reports) relating to their security
    and other controls, and further oversight, firms will generally be
    capable of fulfilling this requirement.

Guideline 2. Pre-outsourcing analysis and due diligence

Key take-aways:

  • onus on firms to conduct proper pre-outsourcing analysis and not
    simply accept a one-size-fits-all (or take it or leave it)
    approach from cloud service providers;

  • for critical or important functions there is a detailed list of due
    diligence considerations; and

  • due diligence on critical or important outsourcing should be
    refreshed periodically and in the event of material changes and
    re-performed in the event of significant deficiencies and/or
    significant changes to the services provided or to the situation of
    the cloud service provider. This due diligence requirement is
    particularly likely to be triggered as firms transition applications
    and data onto the cloud over time. As they do so, their reliance on
    the cloud services providers increases and, as a result, services
    need to be viewed in a different light (and potentially
    re-categorised as critical or important when they did not
    previously fall into that category).

Guideline 3. Contractual requirements

Key take-aways:

  • include certain prescribed contractual provisions (including
    termination rights) in critical or important outsourcing agreements;
    and

  • ESMA acknowledges challenges (especially smaller firms) when
    negotiating with cloud service providers but notes the importance of
    mitigating material risks. As a result, if a cloud service provider
    is not prepared to accept related requirements, firms need the
    resolve not to appoint them.

Guideline 4. Information security

Key take-aways:

  • implement prescribed information security requirements / controls in
    relation to critical or important outsourcings.

Guideline 5. Exit strategies

Key take-aways:

  • implement and test exit plans for individual cloud service
    outsourcing arrangements; and

  • exit plans should be updated as there are changes to the outsourced
    function. While in some instances only limited exit related
    assistance (such as in relation to handover of data) will be
    required, in others a more substantial exit plan will be needed to
    support the smooth transition from the cloud services provider to
    another provider at the end of the term.

Guideline 6. Access and audit rights

Key take-aways:

  • the Guidelines include detailed requirements in relation to access
    and audit rights and practices – these can be notoriously contentious
    in the context of cloud services; and

  • while there is scope under the Guidelines to rely on third party
    certifications and audit reports made available by the cloud services
    provider as evidencing its compliance with particular requirements
    and standards, these should be used selectively in relation to
    critical or important cloud outsourcings.

Guideline 7. Sub-outsourcing

Key take-aways:

  • prescribed requirements and restrictions should be followed and
    applied to vendors in relation to sub-contracting (which is another
    contentious area when it comes to cloud services); and

  • include prescribed contractual provisions regarding sub-contracting
    in critical or important outsourcing agreements, including by
    specifying in the contract any part or aspect of the outsourced
    function which may not be sub-outsourced without the firm’s consent.

Guideline 8. Written notification to competent authorities

Key take-aways:

  • the Guidelines stipulate information that should be included in
    notifications to national competent authorities regarding outsourcing
    of critical or important client functions. There are ten aspects that
    should be covered ranging from the date of the most recent risk
    assessment/audit together with a brief summary of the main results,
    and the date of the next planned risk assessment/audit to “the
    individual or decision-making body in the firm that approved the
    cloud outsourcing arrangement.

Next steps

Assuming that the Brexit Transition Period ends as scheduled on 31 December 2020, the applicability of the Guidelines to UK firms is not yet clear. However, as noted above, firms with EU affiliates will need to ensure compliance with the Guidelines, once implemented.

Once finalised, the Guidelines will apply to all in-scope firms from 30 June 2021 in relation to all cloud outsourcing arrangements entered into, renewed or amended on or after this date. Firms are also required to review and update (if necessary) cloud outsourcing arrangements entered into prior to 30 June 2021, with a view to ensuring that they take into account these guidelines by 31 December 2022 and inform their national competent authority of failure to do so.

Firms will need to put in place work-streams for updating of internal policies and procedures, as well as reviewing existing arrangements and engaging with service providers as required.

How can Simmons & Simmons help?

Simmons & Simmons would be pleased to assist with the development of your cloud strategy, project plans, preparing of policies (including contracting policies) and contract review and negotiation.

For further information on the legal issues arising in relation to cloud services, please see our related materials:

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.

Related insights

This website uses cookies and other similar technologies to ensure you get the best experience on our website. Please review our cookie policy and our data protection privacy notice for more information on how the data that is collected is used.