In the discussion on outsourcing, it is stated that a cloud outsourcing checklist must be submitted 30 days before the envisaged use of the service commences. The checklist covers the main elements that need to be considered in such outsourcing. It can be found here on the site's form search (in Icelandic).
The supervised entity must assess the risks related to cloud solutions, such as, the checklist, since the checklist covers the factors that need to be taken into consideration when outsourcing to the cloud. At the same time, the supervised entity must ensure that adequate security measures are in place before outsourcing to the cloud.
Chapter 3.1. of General Guidelines no. 1/2019 (in Icelandic) on risks due to information systems operated by supervised entities covers cloud services, and chapter 3 discusses outsourcing. Likewise, the European Insurance and Pensions Authority (EIOPA) as well as the European Securities and Markets Authority (ESMA) have issued guidelines on outsourcing and cloud services (EIOPA-BoS-20-002), (ESMA50-164-4285) and the European Banking Authority (EBA) has issued guidelines on outsourcing (EBA/GL/2019/02).
Special consideration must be given to the data storage location, multi-factor authentication, encryption, duration, jurisdiction and more to ensure the security of the activities and data that are outsourced to the cloud using cloud services. One consideration, for example, is whether the data is stored outside the EU/EEA. This could make it more difficult to access the data, or laws may not be compatible with the EU 2016/679 General Data Protection Regulation (GDPR).
Accounting data must be preserved in Iceland for 7 years and securities market trading orders for 5 years. Care must be taken to control who has access to the data, whether it is encrypted or requires multi-factor authentication, and which country’s legislation applies to the cloud service in order to ensure the security of the data stored in the cloud. The checklist covers the main criteria that must be met and concerns the operational risks of cloud services in laws and government regulations. The supervised entity must always be able to access its own data and ensure that it complies with the laws and regulations that apply to the activities it carries out.
In the case of chain outsourcing, it is necessary to check how long the chain is, where the jurisdiction of the cloud service/data is and whether the security of the data is guaranteed and can be accessed in a simple manner. According to Point 30 of Guidelines no. 1/2019, it is preferable that supervised entities do not chain outsource the hosting of information systems and data, either wholly or in part, further than to a fourth party. All responsibility regarding outsourcing lies with the supervised entity and this also applies to outsourcing to the cloud.