A survey by the Bank of England earlier in the year identified the presence of thousands of cloud-based applications in use across the financial services sector, noting that cloud outsourcing, “where companies store information and use software via shared virtual data and processing services, rather than relying on local servers”, is becoming increasingly popular1, as well as highly concentrated. The survey indicates that banks use cloud outsourcing more widely than insurers. They mainly use cloud outsourcing to run software and access additional processing capacity (Software-as-a-Service or SaaS) or to support IT infrastructure (Infrastructure-as-a-Service or IaaS). The use of SaaS outweighs the use of IaaS, and with digital transformations powered by cloud technologies being accelerated throughout the pandemic2, the prevalence of cloud as the preferred technology architecture model will undoubtedly continue to grow.
Reliance on the use of third-party outsourcing, including Cloud Service Providers, has resulted in an array of recent regulatory interest. With the EBA3, EIOPA4 and ESMA5 all publishing guidance on the management of cloud outsourcing, the PRA has also published Consultation Papers seeking to enable more consistent oversight of arrangements. The Outsourcing and third party risk management Consultation Paper CP30/196 gives pragmatic guidance to firms for outsourcing (including cloud) with the CP 29/19 also requiring firms to determine the cloud service’s materiality to the outsourcing firm.
As part of transitioning or “migrating “ to the cloud, the responsibility for the operation of many controls shifts away from the outsourcer to the service provider. This is commonly referred to as “the shared responsibility model” with the balance of responsibility being dialled up or down depending upon the service and the deployment model adopted.
The accountability over the operation of effective controls as part of this broader control environment resides with the outsourcer, however, who is also accountable in the regulators’ eyes for the broader safeguarding of data and IT assets. As such, robust oversight and assurance mechanisms from the outsourcer perspective become obligatory in this environment.
The outsourcing organisations should also periodically assess and manage their associated concentration risks – particularly in the case of over-reliance on one of the top-three cloud service providers to support critical services. The regulators are particularly concerned as this can present operational risks for the organisation itself, but also financial stability risks for the system as a whole.
Internal audit teams considering auditing the adoption of cloud within their organisation should consider audits of cloud governance, cloud migration programmes, and targeted reviews over one or more technical areas across a stable environment / deployment. These focus areas which will enable functions to understand how effectively the organisation is identifying and managing the risks associated with cloud. The nature of the deployment, the complexity of the environment and the level of maturity will in turn determine the overall audit need and specific scoping for IT audit teams.
__________________________________________________________________
1 https://www.bankofengland.co.uk/bank-overground/2020/how-reliant-are-banks-and-insurers-on-cloud-outsourcing
2 https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Financial-Services/gx-fsi-realizing-the-digital-promise-covid-19-catalyzes-and-accelerates-transformation.pdf
3 https://eba.europa.eu/eba-publishes-revised-guidelines-on-outsourcing-arrangements
4 https://www.eiopa.europa.eu/content/guidelines-outsourcing-cloud-service-providers_en
5 https://www.esma.europa.eu/press-news/esma-news/esma-consults-cloud-outsourcing-guidelines
6 https://www.bankofengland.co.uk/prudential-regulation/publication/2019/outsourcing-and-third-party-risk-management