Compliance in the Cloud

By Vasyl Nair, Chief Risk Officer, Mine Super & Louis Leung, Executive General Manager Group Risk and Compliance, Mine Super

Vasyl Nair, Chief Risk Officer, Mine Super & Louis Leung, Executive General Manager Group Risk and Compliance, Mine Super

You’ve secured funding and support to launch your new cloud-based strategy with a business case, vendor short list and project plan all finalised. Well, how about understanding your compliance obligations?

Whilst moving to the cloud has become an increasingly popular business strategy, securing compliance in the cloud can be significantly more difficult. The task of Googling a “cloud compliance checklist” is likely to surface more questions than answers. You’ll likely spend more time filtering through sales material than finding any practical guidance on the topic.

Seek technical help

Fortunately, you’re not alone and the places to ask for help aren’t always obvious. Whilst larger organisations typically have in-house risk and legal teams, it may not be as easy for Chief Information Officers who don’t have access to dedicated internal resources. As a result, you may need to carefully consider the cost-benefit of hiring or appointing external technology risk professionals or compliance specialists with prior cloud experience to help you achieve your objectives.

You may also want to consider audit firms that offer consulting services or specialised businesses such as managed security service providers. Whether you hire or outsource this capability, the key to delivering quality outcomes is by ensuring you have the right mix of capabilities to understand your compliance obligations and deliver your project.

Determine what’s important

Once you have capabilities sourced, you’ll need to identify what your compliance obligations are. This is where investing time upfront will help you mitigate the emergence of last-minute surprises that can derail a project. You might consider:

1. Internal policy obligations – surprisingly, internal policies are a great place to start. This is where the rest of your management team have already summarised key obligations across your business. You’ll find vital clues on where to go for more information on a wide range of topics such as privacy, vendor due diligence and technology security.

2. Legislative obligations – consider the legal jurisdictions your business (and short list of cloud providers) operate in and whether any offshore obligations apply. At minimum you should be considering privacy and data retention laws in addition to any other legal domains that are relevant to your business and what’s being moved into the cloud.

3. Regulatory guidance – are there any regulators that oversee your business and do they have a documented posture in relation to cloud-based arrangements? In Australia, licensed financial services entities must meet specific requirements set out by the local regulator for outsourcing arrangements that involve the cloud.

4. Contractual obligations – depending on what is being moved into the cloud, you might also want to review existing contracts in place with suppliers and customers. This includes reviewing your cloud service provider to understand how your risks are being managed. For example, who will be liable when your cloud provider experiences a problem that impacts your service and causes a downstream contractual breach?

5. Industry standards – pay attention to any certifications or assurance your business provides to suppliers and customers. Industry standards or audit requirements (such as IT General Controls) may result in additional work required to maintain compliance.

Getting it done

Don’t be too surprised if you end up with a laundry list of compliance driven work that seems larger than the work set down in your original implementation plan. Your compliance checklist can serve as your obligations register. You can quickly identify recurring themes to group these into key risks that affect your business. For example, you’ll likely identify availability, security, vendor, data migration and strategy as key risk themes linked to work areas.

Once you have your compliance obligations grouped by risks, you should start considering what controls are required to manage these risks (which may include the risk of breaching compliance obligations) and how these are integrated into your overall implementation plan.

At this stage you should also consider the need to document any contingency plans required to address how you will handle potential breaches. For example, if you had a major data breach will your team be able to quickly map the critical path to resolution? The same logic should be applied to managing IT security incidents and general business continuity.

Ensuring you document this end-to-end process is vital as this will help you later when you need to provide evidence to your auditors on how you’ve identified your compliance obligations, your compliance risks and how these are being effectively managed as you transition to the cloud.