Cybersecurity and regulation in financial services
In the past decade, financial institutions have been hesitant to migrate their legacy on-premises systems to cloud infrastructure. Some institutions have been uneasy about switching to an outsourced infrastructure model and might have felt less in control of their technologies, often questioning the security of their data. Moreover, the complexity and risks related to technological changes in the financial services industry make it one of the most regulated sectors in the world.
During the pandemic’s high demand for easily accessible yet robust and secure financial digital services, cloud adoption grew quickly. In fact, this sudden increase now presents new challenges. For many institutions today, whether financial or not, managing a multicloud architecture and providing secure and reliable services also means meeting compliance and regulatory requirements within a shared responsibility model of the cloud provider.
Regional and global regulations impacting financial and many other institutions are, in fact, critical to ensuring secure and efficient operations and, can ultimately benefit an organization’s bottom line. According to the United Nations Conference on Trade and Development, today more than 70% of the world is covered by some type of legislation related to privacy. Consequently, understanding how applying the performance and cost benefits of cloud infrastructure can provide benefits is particularly important, especially when it comes to avoiding costly regulatory fines and sanctions focused on data outsourcing and residency.
Three things to know about outsourcing with OCI
When deciding to partner with Oracle Cloud Infrastructure (OCI), you must consider many factors: Cost, performance, availability, and, of course, your regulatory requirements. Oracle can help in your strategic evaluation of OCI with the following key points:
-
Risk analysis: The customers are solely responsible for determining how cloud computing fits into their IT strategy. Oracle offers several resources to assist its customers in conducting the necessary analysis. OCI attestations issued by recognized third parties are available on the Oracle Cloud Compliance site.
You can use OCI’s Consensus Assessment Initiative Questionnaire (CAIQ), issued by the Cloud Security Alliance (CSA), to evaluate OCI security capabilities. Oracle Corporate Security Practices are implemented as Oracle’s Corporate security programs, and they guide Oracle’s operational and services infrastructure, including Oracle’s corporate network and systems.
-
Contractual terms: In the case of outsourcing critical activities to a cloud service provider like OCI, financial services customers and their regulators have the right to audit Oracle’s compliance under the Financial Services Addendum.
-
Data security: As a cloud service provider, OCI generally has no insight into the data customers store or process in their tenancy. Oracle is transparent with its customers about the security controls and practices. OCI maintains a robust security program and validates that through independent third-party assessments, including biannual ISO/IEC 27001, 27017, 27018, and Cloud Computing Compliance Controls Catalog (C5) attestations. For more information, see Oracle Cloud Compliance.
Oracle Cloud regions are located in many countries across the globe. Customers choose the data region in which to locate their tenancy, and data is hosted in that region. The data stays within that region unless the customer chooses to move it. For customers in the European Union that need to meet extra data sovereignty requirements, Oracle Sovereign Cloud regions are logically isolated from commercial cloud regions.
German financial services’ current regulations
Germany is one of the top leading global financial markets and is guided by European Union regulatory bodies, including the European Banking Authority (EBA) and European Securities and Markets Authority (ESMA). Regionally, the German financial industry is also subject to Bundesanstalt fur Finanzdienstleistungsaufsicht (BaFin) and Deutsche Bundesbank regulations.
BaFin supervises financial services providers, insurance undertakings, pension funds, asset management companies, investments, and securities operating in Germany. Deutsche Bundesbank, the German central bank, supervises credit, financial services, and payment institutions. To address the increased usage of cloud services within the German financial sector, BaFin and Deutsche Bundesbank have issued joint Guidance on outsourcing to cloud service providers. This document provides guidance to financial services organizations on their assessment of cloud service providers, including key considerations and contractual terms to be included in agreements when outsourcing critical processes.
BaFin issues supervisory requirements on a number of topics, including the Circular 10/2018: Supervisory Requirements for IT in Insurance Undertaking (VAIT), Circular 10/2017: Supervisory Requirements for IT in Financial Institutions (BAIT), Circular 11/2019: Supervisory Requirements for IT in German Asset Management (KAIT), and Circular 11/2021: Supervisory Requirements for IT at Payment Services Providers (ZAIT). BaFin circulars set forth requirements for insurance, banking, asset management, and payment and e-money institutions and cover technical and organizational measures for IT systems, especially systems regarding security management, operations, and specifically outsourcing of IT services.
Oracle supports financial service organizations in Germany (and beyond)
Oracle has a long history of supporting customers in the financial services industry, and we are committed to providing the services, features, and security controls to help them meet their regulatory requirements. Even within the evolving landscape of global financial services regulation, customers like Deutsche Bank have experienced firsthand the performance and cost-saving benefits of OCI.
To find out more about why customers are choosing Oracle Cloud Infrastructure with their most critical workloads, contact your account representative.