SBIF, the Banking & Financial Institutions watchdog, has published new regulations amending chapter 20-7 of the RAN (Updated Regulations Directory) on outsourcing Cloud Computing services. The new guidelines, which are at the public consultation phase, set out the minimum conditions that financial institutions must meet when outsourcing cloud computing services.

The key changes brought in are as follows:

Definitions

New definitions such as “Cloud Computing Services”, “Technology infrastructure” and “Information security infrastructure” are added and others such as “Data processing” amended to include their purpose (data transmission, transformation &/or storage); and “Significant or critical (strategic) activities”, which includes any activity that uses non-public customer data.

General conditions that institutions outsourcing their services must meet:

• The Board of Directors must specify what risk tolerance it is prepared to accept.
• The technology infrastructure used to support significant or strategic activities must be used exclusively by the contracting entity.
• The independent audits put together to select, hire and monitor suppliers must be conducted by personnel who specialize in the various risks being audited.
• Institutions must ensure that the supplier carries out its own internal audit reports of the service being contracted.
• The responsibilities and obligations of the subcontracted firms must be defined.
• The physical location of the data centers must be known.

Business continuity

The institution must verify that not only critical service suppliers, but also the suppliers they in turn subcontract, have continuity plans in place to guarantee the services being contracted.

In addition, the institution must have an exit strategy to cover possible non-compliance by the supplier, and must check that this plan ensures the portability and interoperability of the outsourced services.

Information security

As well as verifying that the information security program safeguards the confidentiality, integrity, traceability and availability of its own information assets and those of its clients, the institution must:

• Manage and supervise the security infrastructure of the information available, so, for example:  firewall, anti-malware, antivirus, anti-spamming controls, among others.
• Have an encryption level that is high enough to ensure the end-to-end confidentiality and integrity of the data in communications connections between the hiring party and the service provider.
• Ensure that effective control and protection measures against external attacks are in place.
• Carry out vulnerability assessments regularly, have access to the audit records and to the tracking of mitigation measures.

Services carried out outside Chile

The new regulation removes the obligation, written into the previous version of the regulations, on the Data Processing centers to have infrastructure with simultaneous maintenance capabilities.

Reinforced diligence for services in the cloud

This is the biggest change in the RAN update. The new section V contains added requirements in those cases in which the outsourcing involves an activity considered to be strategic or critical. Thus, the Board of Directors must be especially diligent and bear in mind the following considerations:

• The supplier used has independent certifications that are recognized internationally.
• The contracts are signed directly between the contracting institution and the suppliers, to minimize the risk posed by intermediaries.
• The institution has legal reports on privacy regulation and access to the applicable information.
• The information processed outside Chile has been authorized by the clients.
• The service provider writes its own internal audit reports and they are available for reference.