Finance firms using, or considering, the cloud and other third party IT services must ensure they adhere to the new guidelines set out by the Financial Conduct Authority (FCA) and carry out the appropriate security risk assessments. This is according to The Bunker who argue that a failure to do so will result in increased data security risks.
The FCA recently published new guidance for firms outsourcing to the cloud to clarify what is required of companies and to help firms effectively oversee all aspects of the lifecycle of their outsourcing arrangements. The FCA advocates that there is no reason why cloud services should not be in use by financial services firms, as long as the appropriate consideration is applied in line with the rules set out. The FCA has urged financial firms to manage the operational risks associated with outsourcing by applying due-diligence with regards to IT providers, before committing to work with them, by agreeing a “data residence policy” with the chosen provider.
Comment
Phil Bindley, CTO at The Bunker, a data storage firm, said: “Cloud is here to stay and it is experiencing increasing adoption due to the major benefits it brings. However, the issue of security is one that remains at the forefront of the cloud debate. Putting appropriate guidance in place and acknowledging the potential risks are two integral steps when it comes to ensuring that the security risks associated with the cloud are minimised. Under the new FCA guidelines, financial firms need to take the appropriate steps to mitigate security risks so that their overall security hygiene is acceptable, this will encourage financial institutions to really consider how and where they are storing their data.
“The cloud has the potential to act as a key enabler across financial institutions, however many of these firms have been apprehensive to adopt this technology, due to the security sensitive environment in which they operate. As a result, these guidelines should be welcomed. Not only do they bring in new support for the cloud, but they also address the risks associated with securing data.
“These guidelines should be embraced as they encourage firms to do their due diligence to make sure they understand the ways in which their data is stored, processed and managed. By way of example, included is the ability to request an on-site visit to the relevant premises owned and operated by the cloud provider. A salient element of this guidance is to help firms effectively oversee all aspects of their outsourcing arrangements. When outsourcing to the cloud, it’s vital for financial services firms to appoint a Cloud Services Provider who can offer the consistent cyber resilience necessary, as well as transparency throughout the entire lifecycle, failure to do so can put an organisation’s data in danger.”
