Cloud implementation support for the financial sector. Organisation, process and document adjustment for legal compliance
This article was inspired by our recent experiences in working with clients from the financial sector. Over the past few weeks, several financial institutions, including the largest banks, have approached Altkom Software and asked us to help prepare their organisations for cloud migration. In particular, they wanted us to ensure their compliance with the requirements of the Polish Financial Supervision Authority (UKNF).
Since we have significant experience in this area and know how to guide companies through the entire migration process step by step in accordance with legal regulations, we decided to share that knowledge with you as well. We want to shed a little more light on what you need to get ready in this process.
Cloud data processing
It turns out to be a serious challenge for companies to classify their information and evaluate risks involved in transitioning their data processing to the cloud.
The processing of protected data in the cloud is rigorously regulated by Polish law. However, many companies worry that the regulations might not be clear enough or correctly interpreted by their employees. These fears are understandable, especially since we are talking about particularly sensitive financial data. Any omissions or legal misinterpretations may prove costly or even prevent migration altogether.
So, what can you do? To begin with, analyse your cloud risk step by step, see how likely you are to lose control over processed data, and estimate the length of the outsourcing chain. Next, work out risky situation scenarios so as to prepare for possible incidents in advance and be able to manage them promptly. You will also need to prepare documents such as a cloud exit plan and a business continuity plan.
The long list of documents and analyses you need to prepare may make your head spin at first. You may even get second thoughts about cloud migration. And that doesn’t even have to do with how complex the documents are, but with the lack of resources and employee skills to deal with the task.
Analyses and documents required by the UKNF
Based on our experience in projects for financial institutions, we have drawn up a list that covers all the tasks and documents required by the UKNF, as well as IT and business expectations related to working in the cloud environment. We offer assistance at each step, regardless of whether the migration project has already started or you’re still only building your cloud transition strategy. At every stage, we offer expertise and practical knowledge to allow you to successfully prepare for cloud migration.
What should you do before cloud migration?
1. Analyse the systems you want to operate in the cloud in terms of data processing. Identify legally protected data;
2. Analyse data in terms of critical outsourcing;
3. Analyse the outsourcing chain;
4. Classify the information to be processed in the cloud;
5. Conduct risk assessments and prepare cloud data processing documentation, with a special emphasis on:
- cloud risks,
- cloud services to be used,
- human resources needed for migration,
- loss of control over data processing;
- encryption issues,
- outsourcing chain length,
- changes in cloud use,
- changes in the relationship with the cloud provider, including contract termination;
6. Prepare the necessary documents, with a special emphasis on:
- the sources of information on cloud threats,
- skills (not including hired skills),
- an external analysis of the cloud service provider;
7. Prepare a cloud data processing plan;
8. Prepare a document describing your cloud data processing exit strategy;
9. Prepare a document describing a business continuity plan for applications that will be moved to the cloud;
10. Analyse technical and IT process maturity, develop an IT strategy necessary for cloud migration and draft a strategy for tools, standards and artifacts;
11. Draft an application to be filed with the UKNF.
Another challenge faced by financial institutions that want to ensure compliance with UKNF requirements is the need to create the target architecture for their migrated systems. More often than not, because some systems lack support and/or have a monolithic architecture, environments must be rewritten or reconfigured during the migration process. Most commonly, our clients are only beginning to train their architects in this area and usually require external assistance.
It is a good idea to hire a company with prior experience in similar projects, with certified architects and experts who know the capabilities of a given cloud in terms of architecture, such as e.g., the Azure Well-Architected Framework.
The preparatory stage is the best moment to optimise the future costs of the solution you’re developing, on your own or with the assistance of external experts. This is especially true for companies from regulated sectors, because in their case, cloud migration involves extra internal costs at the initial stage of the project.
These expenses primarily include the costs of preparing documents that describe the institution’s compliance with UKNF recommendations, as well as regular risk assessment and data classification tasks. This creates additional workflows, which makes it more difficult to take the first step in the cloud. IT departments and businesses need to regularly test their cloud exit scenarios and DRC, which increases the costs of the project. Fortunately, some of these tasks may be outsourced, which is particularly cost-effective if the organisation is not planning to hire any more permanent staff.
In addition, when you’re doing something for the first time and still lack the relevant experience and benchmarks, you can end up overpaying unnecessarily. And there are really many cost optimisation opportunities at an early migration stage. You just need to know what to pay attention to and understand the consequences of your decisions. By using the FinOps service, you can save anywhere from 20 to 40% of your budget. It is also a good idea to ask your providers about subscription fees. The client may have several cloud subscription resellers, which, again, would allow you to further reduce costs for specific products or applications.
To find out more about cost optimisation, go to: 11 steps to cost optimisation and informed financial management in Azure cloud.
Cloud migration is a particularly big and demanding project. The importance of migration tasks makes companies increasingly decide to outsource their preparation, compliance, and project tasks.
“In our team, we often say we work like a cloud would. When our clients need ‘power’, or support, they download it from us. And when the extra power is no longer needed, we wrap up our cooperation and they don’t have to spend any more money. It’s the same as paying for cloud resources. Remember that using external assistance doesn’t mean compromising on quality. On the contrary, you stand to gain a lot, especially if your partner can boast certificates and prior experience in similar projects”.
Delivery Manager, Azure Unit