Prudential Regulation Authority Rulebook

7.1

In this chapter, the term ‘data’ should be interpreted very broadly to include confidential, firm sensitive, and transactional data. It may also cover open source data (eg from social media) collected, analysed, and transferred for the purposes of providing financial services as well as the systems used to process, transfer, or store data. The expectations in this chapter apply to material outsourcing arrangements and other third party arrangements that involve the transfer of data with third parties in line with the EBA ICT GL. This chapter should also be interpreted consistently with requirements under data protection law.

7.2

Where a material outsourcing or third party agreement involves the transfer of or access to data, the PRA expects firms to define, document, and understand their and the service provider’s respective responsibilities in respect of that data and take appropriate measures to protect them.

7.3

Building on General Organisational Requirements 2.4 (banks) and Article 274(e) of the Solvency II Delegated Regulation, where a material outsourcing or third party agreement involves the transfer of data, the PRA expects firms to:

• classify relevant data based on their confidentiality and sensitivity;
• identify potential risks relating to the relevant data and their impact (legal, reputational, etc.);
• agree an appropriate level of data availability, confidentiality, and integrity; and
• if appropriate, obtain appropriate assurance and documentation from third parties on the provenance or lineage of the data to satisfy themselves that it has been collected and processed in line with applicable legal and regulatory requirements.

7.4

Some risks relating to data that the PRA expects firms to consider include but are not necessarily limited to unauthorised access, loss, unavailability, and theft.

7.5

Firms are responsible for classifying their data. While the PRA does not prescribe a specific taxonomy for data classification, it expects firms to implement appropriate, risk-based technical and organisation measures to protect different classes of data (eg confidential, client, personal, sensitive, transaction) when:

• developing and implementing their outsourcing policy and other relevant policies and strategies in paragraph 4.10 (business continuity, contingency planning, disaster recovery, ICT, information security, operational resilience, OCIR, and risk management); and
• sharing data with third parties, including but not limited to as part of an outsourcing arrangement.

7.6

As noted in Chapter 10, the PRA recognises the potential benefits for operational resilience of firms using cloud technology to distribute their data and applications across multiple, geographically dispersed availability zones and regions. This approach can strengthen firms’ ability to respond and recover from local operational outages faster and more effectively, and enhance their ability to cope with fluctuations in demand.

7.7

The PRA also recognises the potential negative consequences of restrictive data localisation requirements on firms’ innovation, resilience, and costs. None of the expectations in this SS and in particular this section should be interpreted as explicitly or implicitly favouring restrictive data localisation requirements.

7.8

However, the PRA expects firms to adopt a risk-based approach to the location data that allows them to simultaneously leverage the operational resilience advantages of outsourced data being stored in multiple locations and manage relevant risks, which may include:

• legal risks stemming from conflicting or less developed relevant legal or regulatory requirements in one or more of the countries where the data may be processed;
• challenges to firms’, the Bank’s, and PRA’s ability to access firm data in a timely manner if required (eg as part of their enforcement, resolution, or supervisory functions) due to local law enforcement, legal, or political circumstances; and
• other potential risks to the availability, security, or confidentiality of data, for instance, high risk of unauthorised access or ICT risks stemming from inadequate data processing equipment.

7.9

As part of their due diligence and risk assessment in the pre-outsourcing phase, firms should identify whether their data could be processed in any jurisdictions that are outside their risk tolerance and, if so, bring this to the attention of the third party when negotiating the contractual arrangement in order to discuss adequate data protection and risk mitigation measures.

7.10

The PRA expects firms to implement appropriate measures to protect outsourced data and set them out in their outsourcing policy (see Chapter 4) and, where appropriate, in their written agreements for material outsourcing (see Chapter 6).

7.11

The PRA expects firms to implement robust controls for data-in-transit, data-in-memory, and data-at-rest. Depending on the materiality and risk of the arrangement, these controls may include a range of preventative and detective measures, including but not necessarily limited to:

• configuration management. This is a particularly important measure, as for example, in the context of cloud, misconfiguration of cloud services can be a major cause of data breaches;
• encryption and key management;
• identity and access management, which should include stricter controls for individuals whose role can create a higher risk in the event of unauthorised access, (eg systems administrators). Firms should be particularly vigilant about privileged accounts becoming compromised as a result of phishing attacks and other leaking or theft of credentials in line with paragraph 31 of the EBA ICT GL;
• the ongoing monitoring of ‘insider threats’, (ie employees at the firm and at the third party who may misuse their legitimate access to firm data for unauthorised purposes maliciously or inadvertently). The term ‘employee’ should be construed broadly for these purposes and may include contractors, secondees, and sub-outsourced service providers (see Chapter 9);
• access and activity logging;
• incident detection and response;
• loss prevention and recovery;
• data segregation (if using a multi-tenant environment);
• operating system, network, and firewall configuration;
• staff training;
• the ongoing monitoring of the effectiveness of the service provider’s controls, including through the exercise of access and audit rights (see Chapter 8);
• policies and procedures to detect activities that may impact firms’ information security (eg data breaches, incidents, or misuse of access by third parties) and respond to these incidents appropriately (including appropriate mechanisms for investigation and evidence collection after an incident); and
• procedures for the deletion of firm data from all the locations where the service provider may have stored it following an exit or termination, provided that access to the data by the firm or PRA is no longer required (see Chapters 8 and 10). When deciding when to delete data, firms will need to consider their obligations under data protection law and their potential data retention obligations.

7.12

Where data is encrypted, firms should ensure that any encryption keys or other forms of protection are kept secure by the firm or outsourcing provider. The data protected by encryption (although not necessarily the encryption keys themselves) should be provided to the PRA in an accessible format if required, in accordance with Fundamental Rule 7 and other potentially relevant regulatory requirements.

7.13

The ability of service providers to respond to customer-specific data security requests may vary depending on the service being provided. Generally, the more standardised the service, the more difficult it might be for the service provider to accommodate these requests. The PRA’s focus is on the overall effectiveness of the service provider’s security environment, which should allow firms to meet their regulatory and risk management obligations and be at least as effective as their in-house security environment. As long as service providers can provide assurance that this is the case, the PRA does not have specific expectations around customer-specific requests.