FCA releases finalized guidance on outsourcing to the cloud and other third party IT services

July 12, 2016

The FCA has finalized guidance to clarify requirements on firms when outsourcing to the cloud and other third party IT providers, the aim is for firms to identify and manage operational risks associated with use of third parties. This newly issued guidance is in addition to general outsourcing requirements already detailed in SYSC 8 within the FCA Handbook.

We recommend that firms read the guidance paper in detail, key points include the following:

  • Risk Management – Firms should:
    • have a documented business case for ‘critical or important operational functions or material outsourcing'
    • carry out and document risk assessments
    • identify current industry good practice including data security management and cyber risks to support decision making
    • understand the provider’s data loss and breach notification processes to ensure prompt and detailed notifications
    • document strategies for maintaining business continuity in the event of an unforeseen interruption of outsourced services
    • have exit plans and termination arrangements that are understood, documented and tested
    • assurance obtained from international standards (such as the ISO 27000 series) is unlikely to be sufficient on its own for the purpose of assessing vendors
    • firms must not delegate regulatory responsibilities to service providers
  • Data Security – Firms should:
    • carry out a security risk assessment to include service providers and technology assets administered by the firm
    • agree a data residency policy with the provider
    • consider data sensitivity and how data is transmitted, stored and encrypted
  • Legal and regulatory considerations – Firms should:
    • ensure effective access to data and vendor business premises for the firm and the FCA
    • identify all service providers in the supply chain relevant to the provision of regulated activities including sub-contracting arrangements

The full published guidance can be viewed on the FCA’s website here: http://www.fca.org.uk/news/fg16-5-guidance-for-firms-outsourcing-to-cloud-and-third-party-it-services


We recommend that firms take the following actions:

  • Undertake and document risk assessments based on an industry framework such as NIST
  • Map out data residency and flow both for data inside and outside the organisation
  • Build a vendor management program that includes: a documented selection process, thorough and effective due-diligence, ongoing monitoring and oversight, and regular reviews of cost, performance and risks
  • Ensure that contracts include standard provisions to ensure that regulatory requirements are met and that outsourcing is undertaken in-line with internal policy requirements
  • Create a Written Information Security Program (WISP) that includes a data classification standard detailing how data types should be stored and transmitted

How ACA Aponix Can Help

ACA Aponix provides risk assessments, written information security programs, staff awareness programs (phishing and training), and vendor due-diligence as part of our core service offering. Please contact info@acaaponix.com with any questions or for further information on how we can assist you with addressing cybersecurity risk.