Repost of the original article from 21 November 2017
On 23 October 2017 the Office of the Polish Financial Supervision Commission (“KNF Office”) issued an Announcement relating to authorised entities’ use of data processing services in cloud computing environment (“Cloud Computing Announcement” or simply “Announcement”).
The Announcement beginning reads “…Office of the Polish Financial Supervision Authority identifies the need to present its standpoint on the specific nature of use of the aforementioned services by authorised entities,” seeming the text was compiled by some sort of artificial intelligence. But other than that, there is nothing to criticise the document for.
On account of my interests and my professional practice, as well as my engagement in the European Commission’s Expert Group for Cloud Computing Contracts, I’ve had the opportunity to read numerous studies on the problem of cloud computing, including ones branded the most renowned institutions such as Oxford University. However, none of these publications proved to be as detailed and practical as the KNF Office Announcement. I am pleased that in numerous points the aforementioned Announcement is in line with the studies I published and the opinions I prepared on request of individual financial institutions, but it is the level of detail that I find astonishing. Every sentence of the Announcement is full of meaning. It is, in fact, a tightly condensed checklist as well as an action plan for the implementation of cloud computing services. In fact, the Announcement may be applied to every type of service or technological solution – also on-premise and by each type of institution, not necessarily in the financial sector or under the jurisdiction of the KNF.
Prominent representatives of the KNF Office state: “KNF Office does not say “no” to cloud computing”. The Announcement rather shows to regulated institutions the path to embrace cloud computing. Having said that, KNF Office still keeps asking the same fundamental question “Is it safe?”, known from John Schlesinger’s movie Marathon Man. A detailed and well-documented answer to that question for the purposes of transition to a cloud may be challenging. Especially that it will require an account of the present-day status.
Outsourcing and secrecy
In line with the view presented by the KNF Office, a cloud computing service falls under the category of outsourcing, which means it is subject to applicable […] provisions. As we know these will usually be the regulations on outsourcing and secrecy. In my opinion the Announcement leaves enough leeway for certain cloud computing services to be interpreted as falling outside the scope of outsourcing, however that would require a detailed analysis of the provisions on outsourcing and also enquiring with the KNF Office as to whether such freedom of interpretation really does exist.
The KNF Office expects that a financial institution makes sure that the cloud supplier is headquartered in a state, and the service itself is provided in such jurisdictions where violating secrecy of cloud entrusted information is penalised.
Compliance by design. The expectation that the authorised entity performs the necessary works in order to enable compliance with the applicable legal provisions and external regulations already at the stage of planning the use of the Service does not seem to require any additional comments.
Identification of compliance requirements. The institution should identify the applicable requirements and determine the manner in which they will be fulfilled. It is necessary to establish a plan of monitoring the cloud computing service provider for compliance and reporting the results of such monitoring in the management information system.
SWOT. A SWOT analysis (including benefits and risks) for the use of cloud computing services should be performed. The KNF Office lists SWOT elements such as alternative options, possibility of supplier’s bankruptcy or discontinuation of the business line and the mitigation of the resulting consequences, data safety issues from the perspective of information classes, support model. It is necessary to be familiar with the envisaged service (service configuration options).
Implementation plan. An implementation plan is required ensuring accountability of roles and actions, risk management (RM), change management (CM), threshold conditions for discontinuation along with the principles for measuring the effectiveness of implementation.
ISO. According to the KNF Office, the decision regarding “transition to the cloud” requires a prior, comprehensive evaluation of risk and preparation of a risk management plan for the same. The KNF Office relates directly to the methodology and wording of the ISO quality standards in this regard (ISO/IEC 27005:2011 and PN-ISO/IEC 27005:2011). The KNF Office expects that the cloud computing service will be included in the information security management system and that such system should function based on the good practices described in ISO/IEC 27001, PN-ISO/IEC 27001:2014-12, albeit with no certification required. The KNF Office directly lists eleven risks specific to cloud computing, which should be included in such a system, i.e. geographic fragmentation, access to data by the supplier’s personnel, subcontractors and third parties, limited impact on the change of the service, limitations of the supplier’s direct supervision and access to its premises, weakness of the mechanisms of isolation of the supplier’s resources and vulnerability of interfaces, the manner of data deletion and the lack of direct control thereof, the possibility of unilateral change of agreement by the supplier / the period of notice, SLA subtleties, access from the client’s internal network and from outside it, specification of the mechanisms for the integration of the cloud with the client’s systems, mobile access.
Unacceptable risk of non-compliance. The risk of non-compliance must be managed. The KNF Office firmly states that the risk of non-compliance with legal provisions, external and internal regulations and the standards adhered to by the authorised entity […] may not be accepted or transferred.
Comparison of risks. As part of the risk analysis, the predetermined risk levels for cloud computing services should be compared to the risks associated with alternative solutions.
Continuous risk management. The process of managing risk attached to a cloud computing service should be of a continuous nature and a corresponding risk review should be conducted at least once a year. We should be familiar with the information security management system of the supplier and their subcontractors, and also be able to inspect the results of the evaluation of those systems by independent experts, as well as the results of any internal audits of the supplier and its subcontractors. This inspection should be documented by means of responsibility charts, certificates, audit reports, business continuity plans and disaster recovery plans.
The KNF Office also requires documenting an evaluation of the supplier’s provision of appropriate protection of the data centres, as well as the relevant computer and telecommunications equipment used thereby. The latter is slightly mysterious, but it probably means a report on the physical protection.
The KNF Office also requires determining, by means of a legal opinion, of the prerequisites for obligatory data disclosure by the supplier upon request of authorities or other entities pursuant to the legal regimes applicable to the given cloud computing services. This is an indirect reference to the long arm effect case-law of the courts in the United States.
Cloud computing contract. The Announcement includes the entire alphabet of The KNF Office’s expectations as to the contents of a cloud computing contract (24). The list is too condensed to be restated here or commented on in detail. However, it is sufficient to say that it can be applied to any contract for a significant system, not only a cloud computing contract.
Interestingly, it contains an expectation whereby the contract should contain a lawful specification of the scope of responsibility for damage inflicted on customers. Irrespective of my personal conviction on over-interpretation of EU regulations resulting in the imposition of unlimited liability of outsourcing service providers to the Polish Banking Law in 2004, this type of liability currently exists in the Polish Banking Law as well as in several other industry acts. It seems the KNF Office expects a head-on approach, i.e. a straightforward determination of the supplier’s awareness of the scope of responsibility towards the customers of the given bank or other regulated entity such as a pension fund, instead of leaving such issues vague and unspecific. As I said in the interview which appeared in the October edition of the Bank magazine, Article 82 section 2 (2) of the GDPR in practice introduces similar direct liability on the part of the data processor towards the customers of the data controller.
Obviously, more similarities with the GDPR may be found. In particular, the Announcement covers most of the expectations regarding the entrusting and subcontracting of data processing activities that are included in Article 28 of the GDPR.
Apart from extensions of the above described rules, KNF Office expects that when taking advantage of cloud computing services, a regulated entity will ensure the appropriate level of expert knowledge and skills on its part, as well as on-going communication with competent representatives of the supplier. The KNF Office stresses the importance of protecting data transmissions, indicating the need for encryption, strong authentication as well as high availability and capacity of data (internet) links. The KNF Office underlines the need of independent backup of critical data.
The Cloud Computing Announcement contains detailed rules regarding handling data incidents. These can be seen as a checklist not only for financial institutions, but for any larger organisations implementing the GDPR.
In its final part, the Announcement discusses in detail the issue of planning, at an early stage already, of the withdrawal from cloud computing services, and the assessment and monitoring of the risk of such a withdrawal becoming a necessity. From the perspective of my professional knowledge and experience, the relevant principles described by the KNF Office are in line with good practice.
As already mentioned the KNF Office Cloud Computing Announcement is a detailed, condensed checklist of actions which the KNF Office expects from the regulated institutions intending to use cloud computing. The Announcement is also a useful source of information for those institutions which are not supervised by the KNF as well as those that, without planning to implement cloud computing services, simply intend to introduce some type of technological or organisational changes within their structures such as the implementation of the GDPR.
There are one or two grey area issues which I hope to be able to discuss with the KNF Office in order to identify the possibility of working out a common standpoint in relation to the specific nature of the use of particular cloud computing services by particular authorised entities. Irrespective of the above, I highly recommend the Announcement of the KNF Office to anybody who is interested in IT, the GDPR, cloud computing, business continuity and cyber-security.
Warsaw, 21 November 2017
 Fortunately, the Financial Sector and Regulatory Practice of Gawroński & Partners s.k.a. is headed by Mr. Wojciech Kapica, who used to work for the KNF Office and, having a good understanding of the regulatory language, sometimes explains certain issues to me, which I make up for by clarifying his words to those who are not enthusiasts of regulations.
 Wyniesie Banki w chmury? Karol Jerzy Mórawski, Bank financial monthly magazine, October 2017