The vision of DNB on the supervision of cloud-computing

The vision of DNB on the supervision of cloud-computing CBCS: Information Technology Service Management Seminar Evert Koning, 18 November 2014

Financial industry in the Netherlands Institution type Number Banking 100 Insurance companies 300 Pension funds 350 Investment firms 350 Trust and payment firms 400 Total 1500 2

Strategy Supervision focusses on protection of interests of creditors/consumers stability and integrity of the financial system This means that Supervision must be kept posted and understand what institutions are doing and how they manage and control the risks Timely identify relevant developments & threats and advise on them 3

Strategy of ICT supervision ICT Focus Strategy with differentation An institution of some magnitude is not viable without ICT Supervision needs to make certain that the institutions recognise and adequately manage ICT-related risks 4

Mission statement of EC-ICT Was To offer the maximum added value for general Supervision specific as for the Central Bank as a whole by means of effective and efficient use of people and tools with the focus on the different expertises within the department. Is To achieve, through effective and efficient means, adequate control of IT risks by supervised institutions 5

Supervision cycle 6

Assessment of risks 7

Organisation EC-ICT 10 IT examiners No hierarchy 3 levels of experience Flexibility Account structure T5 and T4 8

Cloud computing Cloud computing qualifies as a form of outsourcing. So the same legal requirements apply: risk s need to be demonstrably known and mitigated Outsourcing to third parties may not obstruct supervision by DNB http://www.toezicht.dnb.nl/en/binaries/circulaire%2 0cloud%20computing_tcm51-224828.pdf 9

Legal Framework Outsourcing Specific rules for outsourcing (6 articles) Outsourcing is not allowed if it obstructs prudential supervision on the institution (art. 27) Outsourcing is not allowed if it harms the independent internal audit & compliance process (art. 28) The institution needs to have a sourcing strategy and detailed procedures in place to manage the outsourcing (art. 29) 10 10

Legal Framework Outsourcing Specific rules for outsourcing (6 articles) The institution needs to have sufficient procedures, knowledge & information to assess the outsourced processes (art. 30) a sufficient written outsource agreement is mandatory (art. 31) Above mentioned articles are not applicable if the processes are outsourced to a company in another country that is part of the group of the financial institution (art. 32) 11 11

Legal Framework Specific rules for risk management (4 articles) Policy regarding control of risks is documented in detailed procedures and measures to control risks (art. 23) Systematic and independent risks analysis (art. 23) Institution supervises compliance of procedures and measures as mentioned in art. 23 (art. 24) Internal developed models are assessed and validated (art. 25) The treasurer of the institution has procedures and measures in place to ensure the financial position (art. 26) 12 12

Definition cloud computing NIST definition of cloud computing (ref. SP800-145): Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. 13

Attentionpoints cloud computing Where are my (back-up) data? Who can access my data? How do I know that performance is as contracted? Exit from cloud provider: is all data wiped? Right to audit also for subcontractor? 14

Cloud computing / International aspects International agreement on cloud computing Letters on cloud computing: APRA, MAS, DNB, US, Spain and Canada All countries have the same attitude w.r.t. cloud computing Some countries are more strict Bron: 15 http://www.toezicht.dnb.nl/binaries/cloud%20com puting_tcm50-224828.pdf

International agreement Common understanding ITSG Cloud computing qualifies as outsourcing Cloud computing is defined by NIST Right to audit of Supervisors is obliged in contracts Email is considered as part of critical business 16

Cloud computing & DNB Journey with Microsoft: circulaire cloud computing 6 December 2011 (English 10 January 2012*) Contact with financial institution about Microsoft cloud services. Contact with Microsoft Contact with Microsoft and financial institution Agreement with Microsoft NL -> involvement Microsoft EMEA and US Agreement with Microsoft US Implementing Microsoft office 365 Financial institution Visit Dublin datacentre Visit Microsoft Campus Redmond *http://www.toezicht.dnb.nl/en/binaries/circulaire%20cloud%20computing_tcm51-224828.pd 17

Agreement with Microsoft http://www.toezicht.dnb.nl/en/7/51-226970.jsp 18

DNB & Cloud computing Symposium Cloud Computing 2013 Regulator view Assurance Lessons learned by Service providers Lessons learned by Financial organisations Market perspective http://www.toezicht.dnb.nl/7/50-228265.jsp Risk analysis framework based on Enisa*: http://www.toezicht.dnb.nl/binaries/sjabloon%20cloud%20com puting%20%20risicoanalyse_tcm50-228202.pdf * http://www.enisa.europa.eu/activities/riskmanagement/files/deliverables/cloud-computing-risk-assessment 19

Cloud computing right to examine 20

Questions? Evert Koning Operational Risks & Data quality Telephone: Mobile: E-mail: : 21 +31 20 524 2428 +31 6 524 96 399 e.koning@dnb.nl