On 19 August 2016 the Czech National Bank issued an Official Information regarding the pursuit of business in the financial market – cloud computing. It applies to banks, credit unions, insurance companies and reinsurance companies, i.e. financial services providers.
As the term „cloud computing“ does not occur in the financial market legal regulations the Czech National Bank uses the following definition:
„Cloud computing refers to a model applied in the area of information and communication systems and technologies that enables network access to configurable computing resources (e.g. networks, servers, data storage, applications and services) that are shared by a large number of users and whose capacity is provisioned and released with minimum management effort or intervention of the cloud computing provider.“
This definition reflects that of the National Institute of Standards and Technology in the USA (2009).
According to the Official Information the cloud computing has all the attributes of outsourcing and financial services providers are obliged to ensure that the activities they carry on are compliant with all the relevant legislative requirements (e.g. risk management, internal control mechanisms, information flows, personal data protection and cyber security) and thus to ensure sound and prudent pursuit of business in the financial market on a continuous basis. The proportionality principle is also applied. Thus lightening or modification of regulatory requirements is acceptable, for example, in the case of information and communication systems for the support of cooperation and information exchange only within the financial services provider or within the group of which it is a member, or in the case of the storage or processing of publicly available data.
When exercising supervision of financial services providers the CNB among other things shall assess whether the financial services provider defines in its strategies its overall approach to, and main principles of, the use of cloud computing and recognises, assesses and takes due account of all other important effects of cloud computing specificities that are relevant to the assessment of risks relating to the outsourcing including also traceability and recoverability of information about the governance processes of the cloud computing provider.