Bank of England plans tough new rules on IT resilience, avoiding cloud "concentration risk"
Demands "full access and unrestricted rights for audit and information..."
The Bank of England (BoE) has raised fresh concerns at the possibility of “systemic concentration risks” arising from the migration of financial market infrastructure (FMI) to the cloud in a new consultation that suggests a significantly more robust set of demands to ensure IT resilience is coming soon for financial services providers.
It is calling on boards in draft new rules to "approve, regularly review, and implement a written third party risk management policy" spanning cybersecurity, operational resilience and data protection among other areas and that firms have a "formalised contractual agreement to be in place for all outsourcing arrangements".
This should span "provisions for full access and unrestricted rights for audit and information" including "the results of security penetration testing carried out by the outsourced third party, or on its behalf, on its applications, data, and systems to assess... cyber and internal IT security measures and processes."
Central counterparties (CCPs), central securities depositaries (CSDs), recognised payment system operators (RPSOs) and specified service providers (SSPs) will also need to notify the Bank and "seek the Bank’s non-objection when entering, or significantly changing a critical outsourcing or third party arrangement" it said -- adding on April 14 that "reliance on other third parties when participants outsource their financial market infrastructure connectivity, including hardware and other solutions, to the cloud. When multiple participants use common third parties, operational risks can be correspondingly concentrated and the third party may become a source of systemic risk..." They should, as a result, have a documented exit plan the BoE urges.
Outsourcing to the cloud should not impede regulatory abilities...
The central bank also said that all market participants subject to the proposed rules will need to ensure that outsourcing agreements "do not impede or limit the Bank’s ability to effectivity supervise... the outsourced activity, function or service" and that they should have "robust controls, including security mechanisms where relevant, for data-in-transit, data-in-memory, and data-at-rest" among other planned requirements.
Setting out three new draft supervisory statements on April 14, the central bank said they aim to “facilitate greater resilience and adoption of the cloud and other new technologies” as well as “requirements and expectations in relation to outsourcing and third party risk management in FMIs”. (Comments are due back July 14.)
> Follow The Stack on LinkedIn today <
The concerns come three years after the central bank commissioned its “Future of Finance” report from banker Huw van Steenis in which he claimed that cloud technologies have matured to the point “they can meet the high expectations of regulators and financial services.” (The bank responded somewhat sceptically, saying that it would “continue to work with firms to manage the risks associated with cloud outsourcing, including concentration risk and lack of substitutability; and to understand any tipping points for systemic risks…”)
Critically however, the Bank of England said it "recognises the potential negative consequences of restrictive data localisation requirements on... innovation, resilience, and costs. None of the expectations in this [paper] should be interpreted as explicitly or implicitly favouring restrictive data localisation requirements" -- but it calls on firms to "identify whether their data could be processed in any jurisdictions that are outside their risk appetite or tolerance" as part of standard due diligence risk assessment in the pre-outsourcing phase.
Bank of England cloud concerns: Concentration risk fears remain
Reading the draft supervisory statements it is clear that concerns around concentration risk vendor lock-in have not dissipated in the past three years.
“Some participants are also outsourcing their financial market infrastructure connectivity to the cloud, which could introduce new or increase existing systemic risks for FMIs and the payment system as a whole… The technical complexity of some technologies provided by third parties coupled with the fact that they are constantly evolving can make it difficult for the boards and senior management of FMIs to understand and manage relevant risks. These difficulties can be amplified when third parties outsource parts of the services they have contracted to provide to FMIs or participants to other third parties. This is known as ‘sub-outsourcing’ and it increasingly involves complex, long chains of third parties” one statement warns.
It adds: “In addition, the provision of certain outsourced and third party services, such as the cloud, which can be heavily dominated by a small group of third parties, may limit FMIs’ or participants’ ability to exit outsourcing arrangements without incurring significant costs, and/or disruption, and require significant resources and time (‘vendor lock-in’)... if a large number of FMIs become dependent on a small number of dominant outsourced or third party arrangements which are very difficult or impossible to substitute, this could, over time, give rise to systemic concentration risks. A major disruption, outage or failure at one of these third parties could create a single-point-of-failure with potential adverse consequences for financial stability.”
New rules are on the horizon
Payments firms should have business continuity plan that ensure they are "able to resume operations
within two hours following disruptive events, and the plan should be designed to enable... complete settlement by the end of day even in the case of extreme circumstances" the proposed rules say, adding that the Bank of England expects firms to "consider the implications of deliberately destructive cyber-attacks when establishing or reviewing data recovery capabilities, either individually or collaboratively with the third party.
The Bank may also request data on outsourcing arrangements under section 204 information gathering powers of the Banking Act, it added in the draft statements -- emphasising meanwhile that firms affected by the proposed new rules should develop their own processes for assessing "criticality" as part of their outsourcing or third party risk management policy, but should "generally consider an outsourcing or third party arrangement as critical where a defect or failure in its performance could [respectively] threaten the transfer of payments or safety and efficiency of a payment system/settlement services/clearing services.
Firms affected by the rules should also ensure that they are considering "cloud configuration management, encryption and key management, access and activity logging, incident detection and response, loss prevention and recovery, data segregation (if using a multi-tenant environment); and operating system, network, and firewall configuration" among other components of their operational risk framework the draft new BOE rules say.
See also:
- Consultation Paper - Outsourcing: Central Counterparties
- Consultation Paper - Outsourcing: Central Securities Depositories
- Consultation Paper - Outsourcing: Payment System Operators and Service Providers