The guidance has stated that companies regulated by the FCA that are using cloud computing services must have in place a documented business case if the services are to be used for critical functions. There must also be a risk assessment in place. The FCA has also stated that companies must insist that their provider informs them immediately if there is any data security breach. They should also be able to gain physical access to the provider’s data centres and that they should not have a contract in place that restricts the number of requests that they can make for accessing data.
However, during the consultation process for these guidelines, some of the regulations were condemned and the FCA has actually altered some of its recommendations based on feedback.
The final guidance document has said that the requirement for companies to be notified about breaches is important for their ability to adequately manage risk. The FCA has admitted that some of the wording in the document could be ‘high-level’, but there is some leeway in the document for companies to establish in conjunction with the provider the exact nature of a breach. Some critics believe that ready physical access to the provider’s data centres could be a security risk in itself.
Guidelines that have been abandoned include imposing regulations on controlling where data is stored as this was considered to be too impractical.