Security and governance in cloud banking: The ECB's guide to cloud services outsourcing

Outsourcing cloud services to third-party providers carries significant risks related to data security, operational continuity, and regulatory compliance. Aware of these risks, the European legislature has issued several legal acts addressing the supply of cloud and ICT services (including outsourcing). Key among these are the DORA Regulation, the NIS 2 Directive, and various cybersecurity regulations.

Adding to these is the recent guideline from the European Central Bank (ECB). The document, in analysing the risks associated with cloud banking, references various applicable regulatory provisions, integrating them with the ECB’s own observations and interpretations.

In this article we examine the content of these guidelines and their relationship with current regulations.

Responsibilities and risk management

The guidelines begin by noting that the cloud services market is highly concentrated among a few providers, heightening cybersecurity risks.

So, unsurprisingly, effective governance of cloud services is one of the crucial aspects addressed. Banking institutions have to establish robust governance programs that include vendor selection, performance monitoring, and risk management. As already prescribed by Article 28 of the DORA Regulation, this includes a detailed pre-emptive risk analysis of outsourcing critical services. The ECB specifies that the analysis should consider various aspects such as vendor lock-in, data security risks related to potential loss, alteration, destruction, or unauthorized disclosure, and geopolitical implications (for instance, if a data centre is located in a politically unstable country).

It's also crucial that contracts between financial institutions and Cloud Service Providers (CSPs) clearly define the responsibilities of the parties, including crisis management and conflict resolution, ensuring that financial institutions maintain full operational responsibility despite outsourcing critical services.

Data security and service integrity

Data protection is a priority in the ECB guidelines. Financial institutions have to implement advanced security measures such as data encryption during transmission and storage. The ECB emphasizes that managing encryption keys to ensure continuous data security is essential. So it’s appropriate to identify detailed policies and procedures for managing the entire lifecycle of encrypted data, including encryption algorithm details, key lengths, data flows, and processing logic.

Beyond encryption, institutions should consider adopting multi-cloud technologies, micro-segmentation, and data loss prevention measures to further mitigate risks. The guidelines also recommend carefully evaluating data localization, considering potential legal and geopolitical risks. Although activities like these are already mandated by regulations like DORA, the ECB provides practical suggestions for proper compliance. For example, the guidelines mention the opportunity to create a detailed list of ICT activities, including those outsourced to CSPs. Additionally, the ECB advises institutions to compile a list of countries that can ensure acceptable data treatment, considering the risks of disputes and possible sanctions. Lastly, institutions should evaluate additional risks if a subcontractor is located in a different country than the CSP.

Financial institutions are also encouraged to implement strong identity and access management (IAM) policies. Multi-factor authentication techniques and constant access privilege monitoring are recommended to prevent potential vulnerabilities. Institutions must also conduct independent oversight and internal audits of cloud services to ensure compliance with regulatory requirements and adherence to industry best practices.

Operational continuity and emergency planning

The ECB underscores the importance of developing effective operational continuity plans to address significant disruptions in cloud services. The guidelines suggest including detailed procedures for data backup and service restoration, ensuring that institutions can maintain operations during adverse events such as cyberattacks or CSP service incidents. Practically, the guidelines emphasize the importance of not storing backups in the hosting cloud. And they advise regularly testing plans to ensure their effectiveness and adequacy under stress conditions.

Under the NIS 2 Directive and DORA, institutions have to implement proportionate resilience measures for critical functions, adopting strategies like using hybrid cloud architectures and geographically distributed data centres. The ECB highlights this approach’s significance as it not only enhances security and service availability but also reduces the risk of dependence on a single provider or geographical location.

The guidelines also emphasize the need to test the disaster recovery plans of their CSP and not rely solely on the certifications provided by the CSP itself: institution and CSP personnel should be involved in recovery procedures, designated roles should be transparently assigned, and deficiencies found during testing should be documented and analysed to promptly identify the most appropriate corrective measures.

Exit strategy and contract management

Another critical aspect the ECB highlights is the exit strategy to mitigate the risks associated with outsourcing. According to DORA, financial institutions must develop detailed exit plans for each critical outsourcing contract. The guidelines clarify that these plans should include clear exit procedures, identify the roles and responsibilities of the parties involved, and estimate the costs for transitioning services to a new provider or internalizing functions in the event of contract termination or CSP failure.

Institutions are also encouraged to negotiate contract clauses that establish conditions for contract termination, including cases of inadequate performance, continuous severe violations of contractual terms, or changes in the CSP's operational structure. These clauses should be regularly monitored and updated to reflect emerging best practices in the cloud computing sector. The ECB recommends that financial institutions use standard contractual clauses when outsourcing their services: for instance, contracts should include provisions on how to calculate the cost of conducting onsite audits.

Clarifications for the banking sector

As stated by the authors, the guidelines "do not establish legally binding requirements." In fact, the ECB didn’t intend to impose additional burdens on banking sector operators already dealing with EBA outsourcing guidelines, DORA, NIS 2, and other legislative acts.

Rather, the guidelines aim to provide useful clarifications on the regulations, bringing the authority’s perspective to a sector that risks being affected by legislation that’s not always clear. In this sense, the practical examples included in the guidelines will certainly help the parties involved adopt all the measures, including contractual ones, required by the regulations.

The guidelines are a key tool for uniformly applying the requirements of the new European regulations. Some crucial provisions – such as those in the regulatory technical standards provided for by DORA – will only be clarified in the coming months. And by that time, financial institutions and providers will already have started the compliance process.