EBA muddies waters on IT security in outsourcing contracts

The European Banking Authority (EBA) risks confusing industry by outlining different security-related contractual requirements in its draft guidance on ICT and security risk management from those that are stipulated in its draft guidance on outsourcing.

The ICT and security risk management guidance

In mid-December 2018 the EBA opened a consultation on draft guidelines on ICT and security risk management. Their purpose is to create a harmonised approach towards technology risk management.

The EBA is mandated to create the guidelines for payment service providers under the EU's second Payment Services Directive (PSD2). It has, though, elected to apply the new guidelines to credit institutions and investment firms too, using its powers under the under the EBA Regulation to drive consistency across the financial services sector.

The draft guidelines contain specific requirements in relation to addressing ICT and security risk in contracts with third parties. According to the draft, outsourcing contracts should set out: 

• information security objectives and measures, including minimum cybersecurity requirements;
• specifications of the financial institutions’ data life cycle;
• requirements regarding location of data centres;
• data encryption requirements network security and security monitoring processes;
• operational and security incident handling procedures including escalation and reporting; and
• service level agreements which "ensure continuity of ICT services and ICT systems and performance targets under normal circumstances as well as those provided by contingency plans in the event of service interruption".

These guidelines are provided "without prejudice to the EBA guidelines on outsourcing arrangements".

The EBA's draft guidelines on outsourcing

The EBA developed proposed new guidelines on outsourcing in June 2018. Its consultation on that draft closed last September, and finalised guidance is due to be published before the end of March this year.

The EBA's finalised guidance on outsourcing will be a significant document. It will outsourcing guidelines that have been in place since 2006 and supersede separate cloud outsourcing recommendations the EBA developed more recently, which only came into effect in July last year.

The EBA's draft new guidelines on outsourcing address a broad range of issues. Specific requirements on the security of third party data and systems are set out and include obligations on institutions to amongst other matters: 

• define data and system security requirements within the outsourcing agreement;
• provide for a right to terminate outsourcing contracts where there are weaknesses regarding the management and security of confidential data, personal data or otherwise sensitive data and information; and
• ensure that outsourced functions meet internationally accepted information security standards.

The EBA's flawed approach

The guidance on addressing third party security risks that the EBA has provided in its draft guidance on ICT and security risk management is general in nature, in contrast to some of the more specific requirements stipulated in the draft outsourcing guidelines. It is not clear why that is.

This approach, if included in the final documents, will create unnecessary administrative work for financial institutions in correlating these different obligations. It will also create unnecessary cost for technology providers in operationalising the requirements in order to best meet the needs of customers in the financial services sector. 

Scattering general requirements across two different sets of guidelines also creates the likelihood of greater uncertainty and may lead to financial institutions taking a more conservative approach to adopting new technologies from smaller technology providers that do not have the resources to correlate the requirements provided across these documents. It could also lead to differences in interpretation between authorities in different EU countries as each document is translated.

For consistency, the EBA really should look to set out a single list of security requirements within one document which can be referenced in the other. It has an opportunity to address this when it comes to finalise both sets of draft guidelines in the coming weeks and months.

Luke Scanlon is an expert in financial services and technology law at Pinsent Masons, the law firm behind Out-Law.com.