Outsourcing To The Cloud – Advice On Risk Mitigation In Line With FCA Guidance

“Cloud-first strategies are the foundation for staying relevant in a fast-paced world,” 

Ed Anderson, Research Vice President, Gartner, July 2016

As we do every January, I joined a number of colleagues at SES to discuss the last calendar year and the trends and client concerns that we expect to prevail into 2017. The increased adoption of SaaS or ‘cloud’ services featured prominently. As the adoption of cloud technology continues apace I want to highlight some considerations in line with the FCA finalised guidance document from July. SES works closely with our FCA regulated clients to understand the various risks presented through the adoption of new technology and facilitate effective protections and DR strategies. By appropriately identifying and mitigating risks, it is our goal to increase the ability of our clients (and firms generally) to benefit from constantly evolving technology.

I always advise clients when transitioning to the new service delivery, that it is crucial they carry out their own assessment on how this affects risk and SES will assist them. Key factors are: what is changing? How does this affect risk? Are other areas of the business affected? Will this increase overall risk? Depending on the application and its importance, traditional models designed for ‘on premise applications’ may no longer be suitable. Of course requirements can differ greatly but having a documented approach that is regularly reviewed will help organisations identify and maintain effective risk mitigation. Effective strategies should look to incorporate industry good practice and be aware of data and security management requirements. Cyber risks guidance from relevant regulators should be included as well as consideration of contractual and regulatory requirements.

When considering IT applications delivered through the ‘cloud’, firms must be aware that the operation risk varies significantly to their traditional ‘on premise’ applications. Without the infrastructure on site, the application is delivered through web portals that are commonly either owned or provided by your supplier. This can make the impact of supplier failure much more immediate. Indeed, the first indication of a problem with the supplier has been the complete withdrawal of access to the IT application and all associated data, never to be restored.

For clients yet to embrace cloud technology, fear of a potential data loss remains an obstacle. As such numerous organisations that could potentially benefit from new technology have been reluctant to change their service delivery and in turn, this has acted as a barrier to further growth, but does this need to be the case? With installed applications you have the security of your data on site, accessible at all times. Cloud services can often leave critical data stored with the software vendor or with hosted service providers on accounts owned by your software vendor. In both of these instances, should the software vendor fail or no longer be in a position to support or maintain the application, this can and has left organisations in a position where they are unable to access their vital information.

To guard against this potential data loss, SES has developed Escrow solutions that allow for a simplified high deposit strategy. Traditional Escrow and even some cloud offerings have been based on a single deposit (with a potential emergency deposit) but this model is unsuitable for dynamic environments where data can become out of date very quickly. Using a secure SFTP depositing method, cloud application vendors are currently depositing with SES on a deposit schedule set out by their clients e.g. hourly, daily, weekly etc. This allows firms to be confident that, should their supplier enter difficulty, the material held in Escrow on their behalf will be relevant and usable.

Whilst all firms are expected to perform their due diligence on each supplier, there are numerous examples of seemingly secure and stable organisations entering into difficulties (e.g. 2e2).  Therefore, it is important that you have appropriate arrangements in place to ensure that you can continue to function and meet your regulatory obligations in the event of an unforeseen interruption or disconnection of your ‘cloud’ based services. When considering your continuity plan, Software Escrow coverage should be a key consideration to protect your critical applications and mitigate any potential impact on business functions, employee relations and brand reputation.

In the event of software vendor failure, having an effective exit plan that meets regulatory compliance whilst limiting disruption, is essential. Once in place, all parties need to be aware of their responsibilities and SES always advise appointing a set contact and/or department to maintain its readiness. Fundamentally, the exit plan needs to be tested, as far as it is reasonable to do so, to be trusted. When Escrow is a part of the plan, firms should be aware of the different testing levels available on deposits to ensure they have appropriate protections in place – for all applications of a critical, bespoke, heavily customised or revenue generating nature, SES recommends Remote Code Validation Testing as a minimum requirement. Through this service, the SES consultant will witness and document your software supplier perform a full audit rebuild of the software application from the Escrow deposit to ensure the application can be restored independently in a release.

About SES  

SES is a Software Escrow specialist who provides assurance agreements to clients in more than 40 countries. For over a decade, it has been our mission to challenge the Software Escrow sector by offering innovative IT technology, flexible agreements and comprehensive solutions to protect every business.

If you would like to discuss your risk mitigation plans and the role of Escrow, please get in touch and one of our specialists will get back to you within one business day.

© SES Secure Limited and ses-escrow.co.uk, 2017. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content.