Introduction
The adoption of cloud computing and the transfer of data across borders is increasing, but it does introduce important risks. Recent guidance from the Prudential Authority (PA) and the Financial Sector Conduct Authority (FSCA) highlights the need for strong governance, risk management, and compliance in these areas. As regulation develops, it is important for financial institutions to take clear steps to manage the challenges and responsibilities that come with using cloud services and offshoring data.
Understanding the regulatory context
The PA and FSCA have issued a joint communication to guide financial institutions on how to manage the risks of cloud computing and data offshoring. While a detailed regulatory standard is being developed, the authorities have set out their current expectations. Institutions are expected to use a risk-based approach, supported by good governance and careful due diligence, to protect the confidentiality, integrity, and availability of their data.
Steps financial institutions should take.
1. Strong governance
Financial institutions should have clear governance structures to oversee cloud computing and cross-border data transfers. This includes:
- Developing a board-approved data strategy and governance framework.
- Defining who is responsible for managing cloud and data offshoring arrangements.
- Making sure these arrangements fit with the institution’s risk appetite and the scale of its operations.
2. Create clear policies and procedures
Institutions should have policies that set out how cloud services and data offshoring will be used. These should:
- Explain how cloud service providers and data storage locations are chosen.
- Cover legal and contractual requirements, including how rights and obligations will be enforced.
- Require that contracts with cloud and offshore providers give the financial institution adequate audit rights, and rights to information in a cyber security incident.
- Contracts must impose on third parties the necessary cyber security requirements so the institution can ensure compliance with all relevant financial sector laws and regulatory guidance such as the joint standards on cyber security and cyber resilience.
3. Carry out thorough due diligence
Before entering into any cloud or data offshoring arrangement, institutions should:
- Assess the security, reliability, and resilience of the cloud solution. Many cyber security incidents occur while using third-party providers. Careful pre-contractual checks can mitigate these risks.
- Check that the provider can meet regulatory and contractual requirements.
- Consider the risks of storing or processing data outside South Africa, including data protection and access controls. A personal information impact assessment must be completed and reviewed if risks evolve.
4. Manage risks and ensure resilience
Institutions should:
- Regularly review and monitor risks linked to cloud computing and data offshoring.
- Take steps to protect the confidentiality, integrity, and availability of important data and systems.
- Ensure all systems storing or otherwise processing personal or sensitive information are documented with security continually tested through penetration testing and audits on third parties.
- Prepare for possible disruptions by having business continuity and disaster recovery plans in place.
5. Keep up to date with regulatory changes
The regulatory environment is changing, with a draft Joint Standard on cloud computing and data offshoring expected soon. By following the above steps, which reflect best practice, financial institutions will be well placed to meet new regulatory requirements as they are introduced.
Conclusion
Cloud computing and cross-border data transfers are common in the financial sector. By following these steps, financial institutions can make the most of these technologies while managing the risks and meeting regulatory expectations. Strong leadership and proactive planning will help institutions build secure and resilient data strategies for the future.