The CSSF did not wait on the latest technical developments to introduce rules on IT services. A number of texts have been issued ranging from specific rules in relation to IT outsourcing to cloud computing in a dedicated Circular 17/654, recently revisited under Circular 19/714, the so-called Cloud Computing Circular. A distinction has to be made between IT outsourcing in general and IT outsourcings relying on cloud computing solutions as different rules apply albeit there are certain overlaps:
- Rules on IT outsourcing are still set out in sectoral rules and therefore differences may occur depending on which type of license an institution holds.
- Rules on cloud computing are aligned between all entities as the Cloud Computing Circular applies to all entities under the supervision of the CSSF since it has been updated in March 2019.
In the world of management companies and alternative investment fund managers (IFMs), the CSSF wishes to fully understand the IT infrastructure in place and wishes to see a fully documented IT system and network architecture showing each system that is used. Moreover, IT security policies including the usual business continuity plans need to be in place. In addition, the CSSF requests a robust contractual framework to be in place to support any third party reliance. Third parties include group entities and hence CSSF requires a full due diligence performed also on them. To ensure this, CSSF performs onsite visits which are fully dedicated to the topic of IT or at least carry an IT component.
Especially for activities related to consulting, programming, maintenance or management of computer systems, the use of a PSF provider was necessary.
With regards to banks and PSF, the CSSF historically imposed a number of constraints in case of a partial or full outsourcing of IT related activities. In general, any recourse to a third party had to be the subject of a request for authorization or a notification according to the cases. This was accompanied by an initial due diligence and periodic monitoring, a contractual framework as well as documentation adapted to the activity concerned (procedures, risk management policy, etc.). Especially for activities related to consulting, programming, maintenance or management of computer systems, the use of a PSF provider was necessary. This is still the case today. Nevertheless, the CSSF recently decided to lighten the procedure for cloud hosted activities according to the scope of the services provided and its respective materiality. The philosophy is to integrate a risk-based approach and introduce a principle of proportionality into the requirements of operability, security and continuity.
The updated Cloud Computing Circular which introduced a proportionality principle requires in essence entities to submit notification requests for non-material outsourcings and authorization requests of material outsourcings. In order to ensure coherence and quality of authorization submissions, CSSF has created template forms and a guide which form to use when. All outsourcings, material or not, need to be documented in a cloud computing register. These changes however raise new questions such as on how to define materiality and what happens if an outsourcing considered non-material is actually material in the eyes of the CSSF. Guidance from the CSSF exists; however, borderline cases will always remain. Typically, an outsourced activity that may be seen as critical for some players may not be material for others.
More than 50% of all authorisation files for PSF and banks integrate cloud components without these necessarily being in relation to core business applications.
We can expect this topic to become even more important over time. Cloud computing is an unavoidable way of secure and efficient data management in financial institutions, especially where they operate globally. This is already shown by the simple fact that more than 50% of all authorisation files for PSF and banks integrate cloud components without these necessarily being in relation to core business applications. One can expect the European regulators and legislator to also regulate cloud computing service providers more rigidly in the near future as there may be a systemic risk caused by the increasing concentration on cloud computing solutions.
Overall, one can say that a healthy risk management approach to the topic of IT outsourcing, regardless of the question whether there is a cloud element or not, is needed. From the strategic decision which will entail elements such as elasticity needs, global platform use and cyber exposure to the implementation of target model, the choice of set-up and service provider to meet the identified requirements will necessarily require an appropriate list of criteria covering experience, capability and expertise, financial strength and resources, security (protective and detective), monitoring and reporting capabilities of the provider. Once this phase is done, one should have all the necessary elements to communicate properly with the regulator and obtain the regulatory approval needed.