While the Financial Conduct Authority (FCA) have given their approval for companies to outsource their IT and data storage to third party cloud providers, the consent comes with a number of guidelines, issued to ensure that such providers remain compliant.Essentially, the FCA have said there is “no fundamental reason why cloud services cannot be implemented” . The caveat to that, however, is that providers must show they have taken all reasonable measures to protect against the risk of data loss, security breaches and business continuity issues.Therefore, as a business owner looking to outsource to cloud providers, asking these 10 key questions can help to satisfy that they are working within the rules and are FCA compliant.
What Protocols are in place for data loss?
By outsourcing to the cloud you may be handing over the integrity of critical and possibly highly sensitive data to a third party. However, as is made clear by the FCA guidelines, responsibility for that data protection and accountability for it, remains with your company. Therefore, you need to understand the checks and measures in place from your provider to protect this data so that you can document a thorough risk assessment and demonstrate due diligence that all reasonable precautions have been met.
Will you have a level of control over where data is stored?
The guidelines stipulate that companies must have “choice and control regarding the jurisdiction in which their data is stored, processed and managed”. Again this comes back the fact that it is the business who should have ultimate responsibility for its data.
What Security Measures does the provider have in place?
Security and protection against cyber-threats should be a business critical factor when assessing the right cloud provider with whom to work. Your third-party provider must demonstrate robust and demonstrable security measures. This might include high-level security measures such as data encryption or similar.
Is the cloud service public?
If yes, how is your data segregated and protected?
The FCA guidelines allow for the use of public cloud services. However, in order to satisfy overall data protection and security implications, understanding how your provider stores and secures your data on that platform should be elicited.
What measures does the provider have in place for business continuity?
In the event of an unexpected interruption of service, you need to be satisfied that the provider has robust back-up processes in place so that your business can operate sufficiently and without undue cost or harm.
How accessible is the data?
The FCA stipulates that all regulated firms, along with their auditors and regulators, must have a process in place whereby they can gain access to business data.
Are you able to access the provider’s premises?
The guidelines require a level of physical access to the premises of those third-parties delivering services to regulated businesses. This might be for regulatory inspection or auditing purposes.
Does the provider comply with International Standards of IT Service?
As part of your own due diligence when researching the use of a cloud provider, looking at organisations who work within recognised international standards of service (such as ISO27000 series) is not necessarily sufficient evidence on its own. But it does demonstrate pre-existing adherence to industry standards.
Is there a suitable exit plan?
Finally, for the purpose of business continuity, the FCA guidelines require that all providers have a suitable exit plan in place. This should make it simple for businesses to leave their outsourced service in a simple, efficient fashion, with no undue interruptions to business operations.
For more information on IT support and services for regulated businesses, click below...