The Syntax cloud compliance checklist for IT support for financial services firms

Cloud technology used to be ‘new kid on the block’ threatening to disrupt businesses and IT departments worldwide.

That was decades ago.

cloud compliance

Cloud services are now the new mainstream: One in four UK organisations use at least one cloud application.

The rise of the cloud has seen business revenues grow on average by £2.3 million in ‘cloud advanced’ companies. Yet there remains a barrier to more widespread adoption: security and compliance.

That doesn’t mean firms in highly-regulated industries such as banking or finance aren’t embracing the cloud. In fact, cloud adoption has nearly tripled in this sector from 15 percent in 2014 to 39 percent in 2016. And the Financial Conduct Authority (FCA) has advised that there is ‘no fundamental reason why cloud services (including public cloud services’ cannot be implemented’ in a compliant manner.


You’ve got the green light. Now what?

With the FCA’s go ahead, financial services firms can be more confident about adopting cloud technology. But how can you be sure a particular cloud service provider (CSP) meets your compliance requirements?

When you’re considering a CSP, take this cloud compliance checklist and ask about the following before choosing IT Support for Financial Services:


 1. Security & privacy

In order to have effective control over your customer data in the cloud, you need to know where it’s stored, how it’s handled and who can access it. Ask your cloud service provider:

  • Where are their data centres located? Where will you data reside?
  • Who can access your data, and under what circumstances?
  • Is data encrypted at rest and via the network as it’s being transmitted?
  • What policies, procedures and controls are in place to protect your data?

A reputable CSP will be transparent about how your data is handled. Don’t be afraid to ask direct questions about data handling, policies or security processes, and always ask for proof of certifications and compliance claims.


 2. Resilience and reliability

Cloud services are spread around the world and often reliant on third-party hardware, software and services. This means that they are not, automatically, infallible simply because they are in the cloud.

Your CSP should have ‘coping mechanisms’ built into their software and service offering to minimise the effects of disruptions and failures. Ask what policies, practices and controls are in place to manage the risk of:

  • Human error
  • Hardware and software failure
  • Natural disasters
  • Criminal activity

A good CSP will have resilience and recovery measures right at the heart of their software design. Microsoft Office 365, for example, is built using Microsoft’s Recovery-Oriented Computing (ROC) practices to anticipate – and mitigate – failures before they happen.


 3. Compliance

Your CSP should meet (or exceed) the international, regional, local and industry-specific regulations and compliance standards that govern data security. This includes:

  • ISO/IEC 27001 and ISO/IEC 27018, an international code of practice for cloud and information management services
  • SOC 1 and SOC 2, a framework of controls that safeguard financial information in a service organisation
  • Data Protection Act 1998, the main piece of legislation governing the protection and processing of personal data in the United Kingdom

The best way to ensure a CSP is compliant is to check their certifications and attestations. These should be made publicly available, as should any third-party audits conducted by reputable organisations like the British Standards Institution. Request audit reports and compare the findings with your own legal and regulatory requirements.


4. EU Model clauses and contracts

European Union data protection law regulates the transfer of customer personal data to countries outside the European Economic Area (EEA). EU Model Clauses are standardised contractual clauses used in agreements between CSPs and customers to ensure data is transferred in a compliant manner.

Before signing an agreement, make sure that your CSP has the right infrastructure and processes to meet the requirements of the Model Clauses. Reputable CSPs will offer contractual guarantees around the transfer of personal data; Microsoft, for example, offers Standard Contractual Clauses to allow customers to safely move data through the Microsoft cloud from the EEA to the rest of the world.


5. Service level agreement (SLA)

An SLA is like the warranty document for your cloud service, and it outlines the minimum level(s) of service required to meet your business’s needs and goals. It’s the most important thing to review from a risk and compliance perspective.

In addition to data handling processes, compliance certifications and security measures, your SLA should outline:

  • Uptime guarantee. This is the percentage of time your service is guaranteed to be operational and functioning as normal. Some CSPs will have a financially-backed uptime guarantee; Microsoft Office 365, for example, has a financially-backed guaranteed uptime of 99.9 percent.
  • Disaster recovery. An SLA should outline your CSP’s disaster recovery processes and controls, including any built-in redundancy, monitoring and diagnostic systems.
  • Support. A good CSP will have automated recovery actions, but you also want to check what level of (human) customer support you receive in your agreement. Clarify the hours you can access support, and who will be available during those hours; the Office 365 support team, for example, is available 24×7 and includes support engineers and product managers.
  • Exit strategy. Your SLA should govern the processes around terminating your service in the event you want to change providers. It’s important that you ensure you’ll be able to extract and move your data (i.e. that it’s ‘portable’). You should also clarify what will happen to data in your account at the end of your service term – some providers may delete it!


The future is now


Cloud technology isn’t the future: it’s the present. If you want to boost your revenue potential, you need to embrace the cloud – but not at the risk of non-compliance and security failure. Put your data and your customers first and do your due diligence with this cloud compliance checklist.