Cloud computing in finance

Cloud & Law

Kochański & Partners, as part of the Banking Working Group of the Polish Bank Association, was engaged in developing a Polish standard for cloud computing implementation in banks.

The so-called PolishCloud based on, inter alia, the Position of the PFSA of 24 January 2020* serve as a roadmap for banks in Poland seeking to implement cloud computing services.

The unique expertise acquired while working on the PolishCloud and years of experience gained in servicing clients from the financial sector have enabled us to develop a comprehensive package of services that will help you efficiently and effectively implement any cloud computing service in your company.

*On 24 January 2020, the Office of the Polish Financial Supervision Authority published online its Position regarding the use of public or hybrid cloud computing by supervised entities.
This consists of a set of guidelines, recommendations and explanations to enable universal and secure use of public and hybrid cloud computing solutions by supervised entities. For some years, these solutions were used by supervised entities, including banks, to a limited extend or not at all, due to the legal environment.

Information, legislation, advice on PolishCloud implementation

Developed by Kochański & Partners

Cloud computing implementation

Cloud computing services, depending on their subject (both in terms of the type of information processed and the processes ordered), may require the application of relevant industry regulations, including the provisions of the Cloud Computing Position and outsourcing regulations. The proper identification of a cloud computing service will allow us to choose only those tools necessary for the service to be implemented.

The scope of our services covers:

legal audit of a cloud computing service provider;
legal audit of policies (procedures) and models used by the client;
preparation/negotiation of a cloud computing service agreement, drafting of opinions;
reporting for supervision if it results from the nature of a cloud computing service.

ISO certification for cloud computing users

The ISO 27000 standards are international standards for the Information Security Management System. The audit policies and measures contained therein are intended to ensure the security of information relevant to each organisation. Prior to obtaining the certificate, an audit is carried out to verify compliance with the requirements of the standard. The certification confirms the highest care for the security of client and contractor data, as well as compliance with regulatory requirements (e.g. GDPR, Banking Law).

Kochański & Partners offers its advisory and implementation services as part of preparation for the ISO/IEC 27001 certification, including the ISO/IEC 27017 standard, addressed to clients using cloud computing services. Kochański & Partners services cover in particular carrying out an audit, reviewing or preparing the required documentation, as well as providing implementation advisory services and assistance to clients during the certification process.

The ISO certification confirms the appropriate level of data security and helps minimize the risks inherent in cloud computing services.

The ISO certification should be of particular interest to entities covered by financial supervision, processing data of a particular category or covered by professional secrecy, i.e. wherever data and information security is particularly important. Care in this area confirms the utmost diligence of members of the Management Board and managers in the age of economy 4.0.

Selected individual products

CLOUD COMPUTING IDENTIFICATION

We offer assistance in identifying public, hybrid and private cloud computing in terms of social cloud models and outsourcing of legally protected information – specific outsourcing. Depending on the type of a cloud computing service, we indicate the scope of applicable regulations.

SERVICE PROVIDER SELECTION

We offer assistance in selecting a service provider by:

location of a data processing centre;
seat of a cloud computing service provider;
methods used by information security and encryption service providers;
other issues at the preference of the client.

OUTSOURCING AGREEMENT

SWe draw up and assist in concluding tailor-made agreements, and conduct negotiations with cloud computing service providers.

IMPLEMENTATION PROCESSES

We advise on the following processes:

information classification and evaluation together with their documentation;
risk assessment together with its documentation;
fulfilment of individual technical and organisational requirements for cloud computing together with its documentation.

SELECTED DOCUMENTATION

We offer legal assistance in preparing documentation indicated by the client for cloud computing implementation, including:

organisational chart of positions or functions related to cyber security;
technological security rules (policies) and organisational cloud computing solutions;
business continuity management rules (policies);
compliance management rules (policies) (inter alia, software licensing processes), including rules (policies) for compliance with regulatory requirements;
rules (policies) for review and management verification of the security system related to the use of cloud computing;
rules (policies) for reporting, review and verification of the quality parameters of cloud computing services;
description of processes, procedures or instructions for selected areas (management of logs, incidents, keys, etc.);
rules for management of policies and documentation within the organisation management system.

REPRESENTATION BEFORE THE PFSA

Representation in connection with PFSA notifications, investigations and audits.

PFSA AUDIT SIMULATION

In accordance with applicable laws, the PFSA may carry out an audit regarding the use of cloud computing in accordance with applicable regulations. Entities required to comply with PFSA recommendations should be duly prepared for any such audit.

A specific unit may carry out an audit simulation, allowing for the identification of the weakest links in the protection of personal data processing in an enterprise.

Timeline

2 February 2022

Publication of the PolishCloud 2.0 Standard – the most recent and comprehensive set of practices and solutions guiding banks smoothly through the cloud migration process, with the highest security standards applied.

1 November 2020

Update of Cloud Communication in connection with the epidemic, extending the implementation deadline until 1 November 2020

link

20 July 2020

The “Practical Legal Aspects of the Road to the Cloud” training as part of the PolishCloud Academy, with Aleksandra Piech and Daniel Kozłowski as speakers.

1 June 2020

PolishCloud Academy inauguration. The Polish Bank Association, Microsoft, Google Poland, the National Cloud Operator, Accenture and Kochański & Partners have established a joint group to promote cloud computing solutions in the Polish banking sector, creating the PolishCloud Academy project, providing free training and workshops relating to cloud implementation for representatives of financial institutions.

link

March 2020

The PolishCloud, i.e. a Polish standard for cloud computing implementation in banks based on, inter alia, the Position of the PFSA of 24 January 2020, is launched. This is a unique roadmap for banks in Poland seeking to implement cloud computing services.