“Yes, BaFin does al­low that!”

Erscheinung:02.04.2024 | Topic Digitalisierung"Yes, BaFin does allow that!"

At the beginning of February, BaFin published a supervisory statement intended to support supervised companies in outsourcing functions to cloud service providers. Find out what's new - and why - in an interview with Ira Kosche-Steinbrecher and Dr Sven Kleinknecht-Dennart from IT supervision.

Ms Kosche-Steinbrecher, Dr Kleinknecht-Dennart: You were responsible for updating BaFin's supervisory statement on the cloud. What's new?

Kosche-Steinbrecher: Let me begin by saying that this is not about us making new rules. What we're doing is providing information on requirements set out in various laws and circulars that already exist. Our goal is to provide companies with a new focus on BaFin' assessment of the outsourcing of services to the cloud. In our view, there is a considerable need for such information in the industry.

Kleinknecht-Dennart: We have included two new chapters in the supervisory statement. The first chapter takes a look at the architecture principles for cloud development and offers companies advice on monitoring the cloud environment. Cyber security plays a key role in this context, given that the cloud is mainly used via the internet. Needless to say, the danger of an attack on the cloud via the internet, including exfiltration of data, is especially great. We offer advice on what companies can do to keep an eye on this issue.

Can you give us some examples?

Kleinknecht-Dennart: The architecture principles are a good example. Many cloud service providers offer detailed information on the topic of designing secure cloud applications. They also often provide best-practice examples for developing and operating cloud applications. Our supervised companies should make use of these offers. We recommend that companies specifically align the best practices with their own requirements for IT risk management and ensure that they implement them. That's usually not a problem technically - and this is one of the great advantages of the cloud. Quite often, deviations from best-practice examples can also be effectively monitored by automated means.

How should companies deal with deviations?

Kleinknecht-Dennart: They can do this by specifically excluding certain services, for example, or using only data centres at defined locations. Working with multi-factor authentication and automatic back-ups can also prove worthwhile. We expect cloud usage to be more secure if these measures are effectively implemented.

And what's new in the second chapter?

Kleinknecht-Dennart: Here we focus on the monitoring that needs to be done by the financial entity. How, in BaFin's view, should companies monitor and control the services rendered by the cloud service providers? A key term we're using here for the first time is the "shared competence" model. However, the model is not entirely new. Many might be familiar with the "shared responsibility" model. But our intention here is to consciously move away from the notion of responsibility in this context because it has often been a source of confusion in the past. Responsibility always lies ultimately with the supervised company. The particularly important point for us is that the process and information interfaces between the cloud service provider and the supervised company are harmonised.

Kosche-Steinbrecher: What's also new are the various boxes we've added with references to DORA. Here we set out the requirements that companies will have to observe from January 2025 onwards. This is extremely important for companies because they should have started preparations for implementing DORA long ago. The idea is that the supervisory statement reflects our current assessment of things but that it will also prove useful in future under DORA. We've also already received positive feedback on this from the sector.

How many companies are affected?

Kleinknecht-Dennart: We're talking about a few thousand. In principle all supervised companies using cloud service providers - from banks and insurers to investment service providers and e-money institutions.

Is the supervisory statement mandatory? How should companies deal with it?

Kosche-Steinbrecher: No, it's not mandatory, and this is something we stress time and again. Our intention is to offer practical support and not place additional demands on companies. The supervisory statement constitutes a joint assessment by BaFin and Deutsche Bundesbankon outsourcing to cloud service providers. You might say it's a tool that enables companies to keep an eye on the challenges associated with cloud outsourcing - over the entire life cycle of the outsourcing. By the same token, it also means that companies are free to reach their goal via a different route, if they prefer. The important thing is that the requirements be fulfilled, no matter what course of action companies decide to take.

Technology has progressed since the guidance on cloud outsourcing was published in 2018, and companies' usage of the cloud presumably too. Was that the reason for the update?

Kleinknecht-Dennart: Yes, it was. Cloud usage itself, but also the maturity of cloud usage in the financial sector, is constantly increasing. What companies are in effect saying is that they now have a sufficient understanding of things to be able to go live with crucial data and processes. A significant stage of development has been reached that we now also reflect in our supervisory statement.

What's characteristic of this development?

Kleinknecht-Dennart: Previously, the focus of our guidance was on governance of cloud usage, in particular the contractual agreements with the cloud service providers. The main question was how companies could navigate their way into a secure cloud. Now, many companies are looking at ways to securely develop and securely operate their own applications in the cloud. The topic of provider monitoring is also growing in importance. The financial sector has been a little slower and more cautious in its use of the cloud than the manufacturing industry, for example. One reason was that it has simply taken a while for the requirements relating to the financial sector to be negotiated into the contracts. BaFin has also carried out a great deal of explanatory work and held intensive discussions with cloud service providers.

Kosche-Steinbrecher: But I also think that the responsible parties were simply taking the time they needed to ensure smooth operations. And they have been clearly successful - cloud service providers grant the financial sector far more contractually guaranteed rights than other sectors. One example is in the area of termination rights. Another area is auditing rights, which allow the internal audit departments of financial companies to conduct their own audits at cloud service providers.

So has there been a change in companies' attitudes towards the cloud?

Kleinknecht-Dennart: My impression is that attitudes towards cloud usage are very positive at management level. But every now and then a company's compliance office will say that BaFin doesn't allow this or that. That's nonsense. BaFin does indeed allow that. And has done for many years!

Kosche-Steinbrecher: Another thing that we consider to be important - in 2018 we had already offered companies genuine support with our guidance on outsourcing to cloud service providers. And it was very well received. No supervisory authority would show such commitment if its real intention was to ban cloud usage.

Who's responsible if something goes wrong in the cloud?

Kosche-Steinbrecher: The competences have to be clearly defined and documented. Put simply - the cloud service provider is the competent party for ensuring security in the cloud. The financial entity is the competent party for ensuring that the cloud is correctly configured and that the applications being used are secure. Both parties must of course adopt preventive measures. But the ultimate responsibility is not something that can be outsourced. And, incidentally, this will continue to be the case under DORA.

Kleinknecht-Dennart: Let's be quite honest - something's going to happen sooner or later. The question will then be how to deal with such a scenario. This is where DORA makes a large number of specifications. But in our supervisory statement we have focussed primarily on what companies can do to ensure that as little as possible happens and that the consequences remain manageable. The shared competence model that we mentioned above is the key to this.

How did the supervisory statement come about?

Kleinknecht-Dennart: As we said - it all started with a guidance notice in 2018 but without us specifically discussing the paper with the financial sector beforehand. Thankfully, feedback at that time was positive, despite this. We're now exploring new territory with many topics and have transformed the guidance notice into a supervisory statement that is also far more comprehensive and detailed. It was therefore especially important for us to ensure that the information we provide actually works in practice and can be understood by third parties that were not so closely involved in the creation process. That's why we contacted the companies concerned and their associations before publishing the supervisory statement.

Kosche-Steinbrecher: For years now, we've been sharing views and information with the financial sector in discussions on IT-related topics. BaFin's IT specialists and IT experts have now established themselves as genuine partners for dialogue with banks and insurers. This has enabled us to effectively assess where new support is needed and where difficulties might lie. The members of these committees provided feedback on our drafts that has proved very helpful. But we have also staged various workshops with representatives from these committees and discussed specific text passages.

Dr. Sven Kleinknecht-Dennart and Ira Kosche-Steinbrecher from BaFin´s IT-Supervision

©BaFin

Did conflicts arise while exchanging opinions with the financial sector? Which topics were discussed in particular detail?

Kosche-Steinbrecher: It's in the very nature of things that BaFin and the financial sector have differing views on things. All in all, there was an excellent exchange of opinions. However, differences did arise, for example, over the treatment of audit reports, with companies expressing their wish that BaFin recognise auditors' reports in full. But in BaFin's view, it is not always sufficient for companies to content themselves with an external audit that has been commissioned by the cloud service provider. Every now and then it's worth paying a visit to the service provider yourself in order to really gain an impression.

Kleinknecht-Dennart: We also talked a lot about sub-outsourcing - what do companies need to bear in mind, who keeps track of things when supply chains become fragmented? But we´ve refrained from including these aspects in our supervisory statement for the moment because DORA has already made some very concrete specifications on this. The shared competence model was also a crucial point of concern, particularly with regard to cyber security. Enterprises can exercise a degree of flexibility in how they implement this requirement. But it's vital that the cloud service provider and the financial entity spell out the relevant competences. And also document where the red line runs.

Where do things go from here? When is the next update due?

Kleinknecht-Dennart: We've processed all the current requirements, including the cloud guidelines issued by the European Supervisory Authorities. As we said - we've already included DORA in the supervisory statement. If adjustments have to be made soon due to new EBA guidelines, we will of course take these into account.

Kosche-Steinbrecher: The important thing now is that the companies should be really able to use the guidance in their daily work. We eagerly await feedback from the financial sector. By the way, supervisory authorities from other countries, both EU countries and third countries, have also expressed interest in our supervisory statement. BaFin is being perceived as a pioneer in this field. In the coming weeks and months, we're sure to hold some talks and report on our experiences - and those of our supervised companies.

Did you find this article helpful?