Philipp Rosenauer
Partner Legal, PwC Switzerland
The use of cloud services can result in greater efficiency and flexibility in IT for many organisations in Switzerland, from large, globally oriented companies to SMEs. For successful outsourcing to the cloud, legal and regulatory, business and IT security aspects must be taken into account. This article provides an overview of the most important points.
Legal and regulatory aspects
Legal questions of permissibility arise in connection with cloud outsourcing. The density of regulations is particularly high in regulated areas, or if personal data or customer data are involved. Swiss organisations should therefore carefully assess the legal and regulatory permissibility of the planned cloud outsourcing.
In this context, it is important to have thorough knowledge of the cloud provider and the targeted cloud setup. This can be done with the help of a Cloud Assessment Checklist. The checklist includes a number of questions for evaluation, such as (list not exhaustive):
Cloud Assessment Checklist
- Which regulations and (industry) guidance are relevant for your organisation?
- Which activities and operations will be outsourced to the cloud provider?
- How is the issue of counterparty risk addressed through your choice of cloud provider?
- What data will be processed by the service provider on behalf of your organisation?
- How are your organisationās data isolated from other data held by the cloud provider?
- Are there any mandatory terms that must be included in the contract with the cloud provider?
- Will the proposed outsourcing require offshoring? If so, from which territory or territories will the outsourced cloud services be provided?
- Has your organisation performed a risk assessment of this outsourcing arrangement, including security-related risk assessment of the latest security threats?
- Does your organisation have a policy, approved by the Board, relating to the outsourcing?
- Is there a vendor management process to monitor the performance of the cloud provider?
- Does your organisation maintain an up-to-date inventory of outsourced functions? Are arrangements in place to ensure the cloud provider delivers the relevant information to keep the inventory up to date?
- Does the outsourcing contract with the cloud provider include a clause that allows the regulators to access documentation and information relating to the outsourcing arrangement?
- Does the outsourcing agreement provide a guarantee of access to the minimum IT assets required to operate under a disaster scenario?
- Does the outsourcing agreement also include reporting mechanisms that ensure adequate oversight of IT security risk management by the cloud provider?
- Is the outsourcing agreement sufficiently flexible to accommodate changes to existing processes and to new processes in the future in order to meet changing circumstances?
- In the event of termination, do transitional arrangements address access to, and ownership of, documents, records, software and hardware, and the role of the service provider in transitioning the service?
- Does your organisation have a process for auditing the service provider to assess its compliance with your policies, procedures, security controls and the requirements on this checklist?
- What security controls are in place to protect the transmission and storage of confidential information such as customer data within the infrastructure of the cloud provider?
- What policies does the cloud provider have in place to monitor employees with access to confidential information?
- How does the cloud provider handle law enforcement requests for access to customer data?
Every company and every cloud project is different. The Cloud Assessment Checklist should therefore be tailored according to the relevant company, its industry and its proposed use of cloud services.
Business aspects
Whether pure storage capacity or a fully-fledged SaaS service (CRM, accounting, etc.), the cloud may offer significant advantages over an on-premise solution, such as the following:
- Rapid availability and flexibility (scalability) of cloud services: By means of cloud computing as āon-demand computingā, an organisation obtains only those cloud resources that it needs over a specific period of time. For short-term peaks in demand, additional computing power or storage capacity can be called up flexibly and quickly via the cloud.
- Reduced IT investments, planning security: Cloud services are in principle billed at a periodic flat rate based on the companyās individual needs. Companies can thus achieve cost benefits and at the same time plan IT expenditure reliably and predictably.
- Increased productivity: By enabling IT processes to run in parallel in the cloud with powerful multiple virtual servers, computing speed is accelerated many times over. This significantly reduces computing and waiting time in the organisation.
- Global availability of services and data: With the cloud, corporate data and IT infrastructure services are available globally.
When selecting the appropriate cloud infrastructure, an appropriate vendor assessment and targeted selection of the required cloud services are both central. Other aspects such as the expandability of the cloud services and the portability of the data in the event of a possible change of provider also play a role.
IT security aspects
Although many cloud providers invest a lot of resources in building and keeping their IT security up to date, organisations cannot simply rely on the adequacy of the cloud providerās IT security as their business model and reputation depend significantly on having a secure IT infrastructure.
Instead, it is incumbent on organisations to check the (technical) adequacy of the cloud providerās measures and, if necessary, to strengthen them with their own measures.
How PwC can support you
With our integrated cloud services model, we can fully advise you on all cloud requirements from a single source. Our legal and IT specialists work hand in hand and have already successfully supported several organisations in migrating to the cloud.
Thanks to our experience, we have the relevant tools, checklists and methods to make your planned cloud outsourcing project a success from a legal, business and IT perspective.
In particular, we can support you with the following aspects:
- Assessment of all legal and compliance aspects with regard to your specific planned cloud outsourcing
- Provision of a targeted Cloud Assessment Checklist for your self-assessment (with or without further PwC support)
- Vendor assessment (legal and technical)
- Cloud contract drafting and review
- Provision of a Cloud Computing Contract Checklist
- Drafting and review of vendor management process
- Drafting and review of all policies and procedures (e.g. IT Acceptable Use, IT Cloud Computing Policy)
Do you have any questions about our services, or would you like further information?
We look forward to hearing from you!
https://pages.pwc.ch/core-contact-page?form_id=7014L000000kkHMQAY&embed=true&lang=en
#social#
Data protection insights
Contact us
Adrien Tharin
Director | Head of FinTech, Blockchain and Digital Assets, PwC Switzerland
Tel: +41 58 792 92 24
Partner and Technology Strategy & Transformation Leader, PwC Switzerland
Tel: +41 58 792 1148
Anouk Geene
Senior Associate | Data Privacy | ICT | Implementationį© , PwC Switzerland
Tel: +41 58 792 44 00
Associate | Data Privacy | ICT | Implementationį©, PwC Switzerland
Tel: +41 58 792 49 64