The Bank of England has warned pointedly that “boards and senior management cannot outsource their responsibilities” in a new supervisory statement on outsourcing and third-party risk management – which sets clear ground rules for cloud use by payments companies and warns leadership to ensure that they a have a “documented exit plan for critical outsourcing arrangements where such an exit is considered possible, explicitly catering for the unexpected termination of an outsourcing agreement (a stressed or unplanned exit).”
It also wants full audit access to cloud services, saying that firms in scope should ensure “a formalised contractual agreement to be in place for all outsourcing arrangements, irrespective of criticality and including intragroup arrangements… [that should give the Bank] full access to such information it may require [and] effective access, audit and information rights [that] should cover (as appropriate) premises, data, devices, information, systems and networks used for providing the service or monitoring its performance”.
These should include, the Bank of England emphasises (8.4), “a summary of the results of security penetration testing carried out by the outsourced third party, or on its behalf, on its applications, data, and systems to assess the effectiveness of implemented cyber and internal IT security measures and processes.”
The Bank of England outsourcing and third-party risk management supervisory statement, published February 8, sets expectations that affected companies need to comply with by February 9, 2024 – it is intended to complement the ‘Bank of England policy on Operational Resilience’ published in March 2021, and reminds companies in scope tartly that they should look to avoid “concentration risks or vendor lock-in” and are “required to notify the Bank in writing prior to entering into any new outsourcing agreement, and… [seek its] non-objection when entering, or significantly changing a critical outsourcing or third party arrangement.”
The rules apply to recognised payment system operators (RPSOs) and specified service providers (SSPs) and the central bank added that it “considers that it is not sufficient for RPSOs and SSPs merely to negotiate adequate access, audit, and information rights; these must also be used when appropriate” (The Stack’s italics.)
Bank of England outsourcing rules
The Bank of England’s outsourcing paper emphasises that data access remains a key sensitivity for financial services providers; cloud provider operator access is a concern for many regulators and the BoE emphasises (hopefully obviously to some) that “where a critical outsourcing or third party agreement involves the transfer of or access to data, the Bank expects RPSOs and SSPs to define, document, and understand their and the third parties’ respective responsibilities in respect of that data and take appropriate measures to protect them.
Where a critical outsourcing or third party agreement involves the transfer of data BoE said it expects firms to:
- “Classify relevant data based on their confidentiality and sensitivity;
- “Identify potential risks relating to the relevant data and their impact (legal, reputational, etc);
- “Agree an appropriate level of data availability, confidentiality, and integrity;
- “Agree an appropriate recovery point and recovery time objective; and
- “If appropriate, obtain appropriate assurance and documentation from third parties on the provenance or lineage of the data to satisfy themselves that it has been collected and processed in line with applicable legal and regulatory requirements.
Bank of England rules on data location
There are not, as expected, strict requirements on data location in the central bank’s supervisory statement, with the BoE saying it recognises “potential benefits for operational resilience of RPSOs and SSPs using cloud technology to distribute their data and applications across multiple, geographically dispersed availability zones and regions. This approach can strengthen… ability to respond to and recover from local operational outages faster and more effectively, and enhance their ability to cope with fluctuations in demand.”
Security controls it expects affected firms to apply/look out for include (our summary): Configuration management; encryption and key management; identity and access management, which should include stricter controls for individuals whose role can create a higher risk in the event of unauthorised access; the ongoing monitoring of ‘insider threats’; access and activity logging; incident detection and response; loss prevention and recovery; data segregation (if using a multi-tenant environment); operating system, network, and firewall configuration; staff training; the ongoing monitoring of the effectiveness of the third party’s controls, including through the exercise of access and audit rights; policies and procedures to detect activities that may impact information security (eg data breaches, incidents, or misuse of access by third parties); and procedures for the deletion of enterprise data from all the locations where the third party may have stored it.