The National Bank of Hungary (in Hungarian: Magyar Nemzeti Bank, "MNB"), acting as a finance regulator, recently published a new, detailed recommendation (Rec. No. 2/2017, the "Recommendation") on the use of cloud services by financial institutions. The Recommendation replaces the formerly applicable 4/2012 management circular (the "Management Circular") issued by the former Hungarian financial supervisory authority in 2012. In the last five years there has been a notable need for an up-to-date, more detailed guideline regarding the application of cloud services in the financial sector. The Recommendation addresses the emerging needs in connection with cloud computing agreements between financial institutions and cloud service providers ("CSPs"). The MNB expects financial institutions (those that fall under the scope of Article 39 of Act 139 of 2013 on National Bank of Hungary, such as banks, insurance service providers, investment firms, saving cooperatives, pension funds, commodity dealers, select payment service providers and similar financial institutions) to comply with the Recommendation from 1 March 2017, however it is not binding on financial institutions.
The Recommendation, in comparison to the Management Circular, contains more specific requirements for financial institutions concerning the application of cloud services, for instance, more detailed rules on the characteristics of the cloud services, and the supervisory role of the MNB is also introduced.
The Recommendation covers four main topics:
Definition of cloud services
The Recommendation provides a definition of cloud services, and the substantive criteria thereof. According to the Recommendation, cloud services are a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
The application of cloud services
The application of cloud services is a process starting from the phase of emerging business needs and planning, and ending with the phase of termination.
The Recommendation states – in line with the Management Circular – that the application of cloud services qualifies as outsourcing, if it concerns personal data or any confidential information regarding the client. Despite qualifying as outsourcing, financial institutions are obliged to comply with all relevant regulations. Therefore, as part of planning financial institutions first assess whether they are able to comply with all relevant regulations, and how is it possible to review the activity of the CSPs. Afterward, financial institutions prepare a cost-benefit analysis which contains the costs concerning the introduction of the cloud services, but also takes into account other alternative solutions and their costs. Furthermore, financial institutions also prepare a risk management analysis regarding the introduction, operation and termination of cloud services. In the risk management analysis financial institutions identify the risks of the application of cloud services, create a risk reducing strategy, and find a way to implement principles regarding data privacy, data security and business continuity.
The Recommendation regulates the mandatory requirements of cloud service agreements to be concluded with the CSPs in more detail than the Management Circular did. Both the Management Circular and the Recommendation mention amendments to the agreement, termination of the agreement, liability, security warranty, and data protection/data security provisions as mandatory provisions of cloud service agreements. The Recommendation however mentions other mandatory provisions of cloud service agreements as well, such as the stipulation of the MNB's supervisory powers, the treatment of force majeure, provisions concerning licenses and intellectual property, data location, the stipulation of language of services/communication, and provisions concerning subcontractors, etc.
Further, the Recommendation specifies the necessary tasks to perform during the introduction, operation and termination of cloud services. The main purpose of the tasks related to introduction is naturally to make sure that cloud services can be introduced, while the purpose of the tasks related to operation is the continuous and uninterrupted functioning of cloud services. Termination may occur solely due to changing CSPs or due to converting to any alternatives of cloud services.
Cloud services security principles
Cloud services security principles set by the Recommendation are observed by financial institutions, and financial institutions ensure that CSPs also observe them. Among these cloud services security principles the Recommendation mentions data-security and data protection, which means that financial institutions identify and classify data that is outsourced to the cloud. Afterwards, they determine the data security and data protection requirements. In addition, financial institutions review the compliance of the CSPs with these requirements at least once a year. The Recommendation introduces three other principles regarding data security and data protection: security of data during transmission, security of data during storage and data protection as a sui generis cloud services security principle.
Other cloud services security principles are the principle of security of IT processes, i.e. IT processes have to be regulated, secure and audited. The principle of security of IT processes also includes security management, and security of operations and development. The principle of protection of resources means that financial institutions make sure that neither their own resources, nor the resources of the CSPs can be hacked into. The principle of user/authority treatment means that financial institutions limit access to cloud services to the necessary and sufficient level, and create authentication and authorization solutions.
Overall, the Recommendation provides more detailed rules for cloud services security principles compared to the Management Circular.
Financial institutions are obliged to ensure that the cloud service agreements authorise the MNB to audit CSPs and financial institutions as well. Audits are performed either as spot checks or off-site monitoring, or both. The scope of the audit can only be restricted to a reasonable extent as long as it does not prevent or hinder the execution of the audit. The MNB is authorised to audit the decision-making materials, risk management tasks, exit plans and cloud service agreements, as well as the applied security and data protection requirements.