Cloud Technologies in the Financial Sector
Oksana Volynets
The global digital transformation and increased cyber security threats are triggering the stepping up of information security measures. The relevant expenditures in budgets of the corporate sector and financial institutions are growing steadily. The trend of recent years has been that of constant demand for IT outsourcing and the use of cloud computing solutions rather than investments in conventional IT models. The cloud option, as a cost-effective solution, enables the move from the CAPEX to OPEX business models.
Another driver for the expansion of cloud computing is general technological developments where the cloud is becoming an integral component. The advancement of artificial intelligence, machine learning and other innovative technologies into day-to-day life, the need for in-depth analysis of huge volumes of diverse sets of data require computing capacities of a level which is usually beyond in-house capabilities and can only be obtained from a third-party cloud provider.
The financial sector is driven by the same trends. High volumes of restricted data and specific requirements of regulators as to security measures make the issue of third-party cloud solutions even more immediate. The below will consider certain Ukrainian law regulatory requirements of cloud computing technologies with an emphasis on the rules applicable to financial services market players.
Legal situation in general
So far, in Ukraine, no special legislation on cloud technology has been adopted. There are no standards mandatory for cloud service providers either. With respect to legislation, the prospects of Draft Law No.4302 On Amendments to Certain Legislative Acts of Ukraine regarding the Information Processing in Cloud Computing Systems (adopted by the Verkhovna Rada of Ukraine in the first reading back in 2016) are rather foggy. Several national cloud technology specific standards harmonized with ISO standards adopted in Ukraine within recent years may apply on a voluntary basis as their mandatory application is not required by regulatory acts.
The processing of information in the cloud, irrespective of the cloud deployment model or residency of the cloud provider, is not prohibited by Ukrainian law and so may be employed, provided that cloud service users (i.e. financial services providers including both banks and non-banking financial institutions) are compliant with their industry regulations and restrictions as well as general legal requirements. It is worth mentioning straightaway that such regulations and requirements are mostly related to the regulation of information, information security, and personal data protection.
Financial market regulations
Turning to the financial market regulatory framework, there is no guidance in the law and as far as we know, no official position has been made public by financial market regulators (i.e. the National Bank of Ukraine (the NBU), the National Commission for Financial Markets Regulation (the NCFMR), and the National Commission on Securities and Securities Market (the NCSSM)). The only exception is that the NBU has begun integrating the cloud regulatory framework into banking regulations.
In 2017, the NBU, in order to enhance information and cyber security in banks’ information systems, adopted the Regulation on Organization of Measures to Ensure Information Security in the Banking System of Ukraine (introduced by NBU resolution No.95 of 28 September 2017), laying down a minimum set of information security and cyber protection measures mandatory for banks. Among others, such measures include the development by banks of an information security management system and the implementation of security safeguards in accordance with the national standards of Ukraine on information security (harmonized with ISO 27001:2015 and ISO 27002:2015). In this regulation, the NBU mentions those cloud technologies which may be used by banks in automation,technical and technological support, but the requirements for such technologies should be subject to a separate regulatory document. The latter has not yet been adopted by the banking regulator and neither has the draft been made public.
In the Draft Regulation on Cyber Security and Information Security in Payment Systems and Settlement Systems, posted on the web-site of the regulator for public discussions, the NBU proposes that cloud computing solutions may be applied only by a limited number of money-transfer market players, namely by key operators of payment systems. Such key operators under this draft basically include those payment infrastructure service providers which either (i) service an important payment system (also acting as its payment organization) or a payment system established by a non-resident, or (ii) act as an operator of more than one payment system.
Under the draft regulation, the key operators of payment systems may employ cloud computing solutions only if the server rooms of the cloud provider are physically located within the territory of Ukraine and such server rooms meet the specific requirements listed in this regulation (which are practically as strict as those provided for banks). Furthermore, the transmission of data to the cloud must be made in an encrypted way using any of the cryptographic algorithms specified in this regulation. The clouds on cloud-hosted servers located outside of Ukraine can only be used for backups subject to the above-mentioned encryption requirement for data.
The final text of this new regulation is yet to be seen. However, at this point the draft may be relied upon to understand the general approach of the regulator to the use of cloud technologies and the scope of its application by the institutions supervised by the NBU. At least one can note the same approach to data localization as provided by the NBU to the banks; transaction information must be processed and stored on servers or other equipment physically located in Ukraine. The backups may be stored outside of the country provided that they are protected by appropriate technical or cryptographic safeguards (as required by the Regulation on the Organization of Accounting, Accounting Control during the Operational Activities in the Banks of Ukraine adopted by the NBU Resolution No.75 of 4 July 2018).
Obviously, this new regulation will, if adopted, restrict the engagement of clouds run from data centers or servers located outside Ukraine. As for Ukrainian providers, they will be required to ensure the compliance of their data centers with the stringent security measures which are most likely to be adopted by the NBU.
The national commissions, the NCFMR, the regulator of non-banking financial institutions (except for those conducting money transfer activities based on a NBU license) and the NCSSM regulating the securities market and its participants, do not mention the possibility of using cloud services by entities they supervise. These regulators have not adopted the information security standards mandatory for their regulated institutions. More stringent requirements introduced by the NCSSM apply to depository institutions. As for the NCFMR, more specific and tougher requirements have been adopted for information systems used for rendering financial services by, e.g. insurance companies, pension funds and credit unions. Other than that, the information security requirements applicable to non-banking financial institutions are rather basic and general.
General legal requirements
As mentioned earlier, the cloud services arrangement may be subject to the requirements of information security and data protection laws. The type of information in accordance with the access regime thereto processed by the customer of the cloud service provider and transferred to the cloud will trigger the applicable requirements. Financial institutions and financial industry service providers mostly process information with restricted access, confidential information and secret information. There are no uniform rules on the access regime for each type of information and one needs to check the statutory acts governing a specific type of financial service to determine the relevant rules (i.e. banking laws, financial services law, laws on securities and depository activities, etc.).
For the information processed in the information (automated) systems, the general requirements on protection of information in information systems apply under the Law of Ukraine On Protection of Information in Information and Telecommunications Systems, No. 80/94 of 5 July 1994 (the ISP Law). Based on this law, the owner of the information system is required to ensure the protection of information in the systems based on the terms of the agreement with the owner of the information unless there are other requirements provided for by law. Such other requirements exist for information systems used for processing state information resources, and for information with restricted access the protection requirement for which is established by legislation. Namely, the ISP Law requires that processing the above categories of information must be done in a system using a complex system of information security (CSIS) with the confirmed conformity.
The owner of the information system shall be responsible for ensuring the conformity of its system by receiving either a conformity certificate or a positive expert report based on a state examination of the technical or cryptographic information protection.
The mentioned conformity assessment or the state examination is carried out by the State Service of Special Communication and Information Protection of Ukraine (SSSCIP).
Hence, the security of information systems on the basis of which the cloud platform is run and used for the processing of state information resources or the mentioned restricted access information must be confirmed by a CSIS compliance certificate obtained from the SSSCIP. At the same time, due to inconsistencies in the laws on information and information protection as well as lack of consistency in the by-laws adopted based on the ISP Law, there is no uniform approach to restricted access information, the processing of which requires the implementation of a CSIS and its certification by the SSSCIP. It becomes mandatory if expressly required in regulatory acts. For instance, such a requirement is provided by the NCSSM for the protection of information in the depository system when it is processed in the information systems of the depository institutions and the Central Depository (under the Regulation on Conducting Depository Activities, introduced by the ruling of the NCSSM, no.735, dated 23 April 2013).
Ukrainian personal data protection laws are another set of rules that apply if cloud services are used for processing, including the storage of personal data. The scope of applicable requirements will depend on the arrangement with the cloud services provider, and on the nature and scope of data transferred to the cloud. Based on the Law of Ukraine On Personal Data Protection, No. 2297-VI, of 1 June 2010, the cloud services provider will most likely qualify as the data processor. In order for personal data to be lawfully transferred to a third party processor, a written agreement should be in place between the data processor and data controller (i.e. the customer of the cloud services provider) setting out the purpose of the data processing and the scope of the data transferred for processing.
The customer of the cloud services provider may, as a data controller, be subject to other requirements such as: (i) notification to the data protection authority on the processing of sensitive data (such as inter alia participation in political parties/organization, trade unions, biometric data, medical data, information about administrative or criminal liability) or changes to information notified earlier to the data protection authority — the Commissioner of the Verkhovna Rada of Ukraine on Human Rights (the Commissioner), e.g. change of data processor; (ii) notification of data subjects on the location of data, identification of data processor; and (iii) data subject consent — e.g. for cross-border data transfer to jurisdictions which do not ensure an adequate level of protection.
It should be also noted that the Commissioner is now preparing a draft law on amendments to the Ukrainian data protection law for its approximation to the General Data Protection Regulation (GDPR). Hence, it may not be too long before the GDPR requirements transported into Ukrainian law will become mandatory for all Ukrainian data controllers and processors.
According to market reports, the Ukrainian cloud services market is growing. It is growing despite the fact that cloud computing technologies remain, to a certain extent, a grey area as a matter of law. That said, the sensitivity of the data processed by financial market players and operational risks involved must be ensured at the regulatory level by clear–cut requirements that apply to all financial institutions. The availability of cloud technology standards and explicit legal rules should serve both financial institutions in their efforts to comply with information security requirements and cloud services providers when developing compliant cloud-based products.
Oksana Volynets
is a senior associate at Wolf Theiss
