PRA’s Outsourcing and Third-Party Risk Management (PRA SS2/21) – Are your SaaS applications ready?

Most UK companies regulated by the Prudential Regulation Authority (PRA) including banks; financial institutions; credit unions; insurance and reinsurance firms are adopting SaaS hosted applications for many critical applications within their companies.

The PRA SS2/21 and PS7/21 polices are aimed at ensuring these regulated companies have robust continuity measures in place for services designated under outsourcing and third party risk management. The new policies come into effect on the 31st March 2022.

With the clock ticking and time running out, this article brings you everything you need to know to about Prudential Regulation Authority’s Supervisory Statement (SS2/21) and how you can ensure your SaaS applications are compliant.

Background

In March 2021, the Bank of England’s Prudential Regulation Authority PRA published their expected policy and supervisory statements on outsourcing and third-party risk management.

The PS7/21 policy statement provides the PRA’s response to feedback received regarding their Consultation Paper (CP) 30/19 titled “Outsourcing and third-party risk management”, and supervisory expectations statement SS2/21 outlines the PRA’s supervisory expectations with respect to third party outsourcing arrangements. 

These documents outline the expectations and outcomes regulated financial institutions will need to comply with to establish and maintain resilience of their Important Business Services.

Which companies are impacted by SS2/21?

The SS2/21 polices are relevant to banks, building societies, PRA designated investment firms, insurance, reinsurance firms, branches of overseas banks, insurers and credit unions.

The SS2/21 policy may apply to all outsourcing arrangements and even some non-outsourcing third party arrangements. Non-outsourcing third party arrangements include the purchases of hardware, software, and other ICT products including SaaS hosted applications.

The PRA expects the firms to assess the materiality and risks of non-outsourcing third party arrangements as well as outsourcing arrangements. Where a firm deems a non-outsourcing third party arrangement “material” or “high risk” it should implement proportionate controls appropriate to the risk, and as robust as the controls that would apply to outsourcing arrangements with an equivalent level of materiality. These do not need to be the same as the controls which apply to outsourcing, but firms should apply stricter controls to “material” non-outsourcing third party arrangements than to non-material outsourcing arrangements.

How to ensure your SaaS hosted applications comply with SS/21?

When analysing the compliance risks associated with a critical SaaS application, the PRA designated firms need to understand the impact on their business if a SaaS vendor failed and were unable to provide a critical service.

The SS/21 policy highlights the requirement for a robust business continuity and exit plan for such outsourced third-party services:

“The Operational Resilience Parts of the PRA Rulebook require firms to test their ability to remain within impact tolerances in severe but plausible disruption scenarios. Likewise, the SS expects that firms’ testing of their business continuity and exit plans should include the ability to remain within impact tolerances. Firms may choose to conduct testing that fulfils both of these obligations at the same time. In addition, Chapter 5 of the SS notes that a key criterion for assessing materiality is whether an arrangement could materially impair the firm’s operational resilience, particularly its ability to continue providing important business services. The PRA expects, therefore, that all outsourcing arrangements that support an important business service should be considered material.”

Severe but plausible disruption scenarios would include:

  • Service interruption due to natural or other disaster
  • Failure due to SaaS vendor mismanagement or malicious employee
  • Hacking or ransomware attack
  • Bankruptcy or other insolvency event

As the ultimate responsibility lies with the PRA regulated firm, relying on the SaaS vendor’s Disaster Recovery Plan (DRP) or Business Contingency Plan (BCP) plan is not adequate. The PRA regulated firms would require their own internal continuity plan to tackle such an outsourced third-party failure.

This is where things get complex. SaaS hosted applications are popular because they are hosted by specialist software vendors taking responsibility for the application, security, data, and the infrastructure which are all outside the control of the financial institution.

In order to comply with the continuity requirements of the SS/21 policy, financial institutions are investing in SaaS Continuity Escrow solutions to provide a safety net in the event of a critical SaaS vendor failure.

Escrow London have been building bespoke SaaS Continuity Escrow solutions for a number of large PRA regulated banks and financial institutions in the UK to assist with SS/21 compliance.

These SaaS Continuity Escrow solutions typically include:

  • Replicated SaaS Continuity Escrow
    • Providing a replicated cloud environment with databases using deployment scripts that may be activated in the event of a release situation.
    • Escrow London will maintain a dedicated beneficiary cloud account in AWS, Microsoft Azure or Google Cloud . After implementation, the cloud environment will be maintained in a dormant state with a copy of the database updated daily. In the event of a material failure of the SaaS vendor, Escrow London will be in the position to spin up a recovery environment with the most recent deposited database. The new escrow environment may be maintained by Escrow London for an agreed period of time anywhere from 30 days to 1 year, allowing the financial institution to continue operating and complying with their obligations under SS/21 until a new solution is implemented.
    • The Replicated SaaS Continuity solutions are tested by Escrow London on a quarterly basis to ensure the deposited system is up to date and functioning as expected by the financial institution.

  • SaaS Access Continuity
    • Deposit of access credentials to the production environment usually hosted within AWS, Microsoft Azure or Google Cloud. Escrow London’s team of cloud engineers will become familiar with the production environment through a transfer of knowledge process with the SaaS vendor. In the event of a material failure, Escrow London has the authority to step in, segregate and transfer the beneficiary’s AWS environment to a new AWS account under the ownership of Escrow London or the financial institution. The recovered escrow environment may be maintained by Escrow London for an agreed period of time anywhere from 30 days to 1 year, allowing the financial institution to continue operating and complying with their obligations under SS/21 until a new solution is implemented.
    • The Access Credentials continuity solution is tested on a quarterly basis to ensure the process for migrating the accounts is valid and documented.

  • Ransomware Recovery
    • With the current boom in ransomware attacks, recovery and backup hidden away from your network are critical to overcoming an attack. The Escrow London Ransomware Recovery Escrow solutions give financial institutions the chance to restore quickly when the worst happens through the following services:

      • Ransomware Recovery Live – dormant copy of the production environment that can be spun up at short notice.
      • Ransomware Database Recovery – daily copy of your database held out of reach from ransomware hackers.
      • Ransomware Source Code & Infrastructure as Code Sync – automated pull of source code and IaaC scripts held outside of your network.

  • SaaS Environment Escrow
    • This solution provides everything you need to recover the SaaS environment and typically includes an automated deposit of the following assets from the SaaS vendor:
      • Source code from the developer’s git repos
      • Deployment scripts (IaC) such a Terraform or CloudFormation
      • Containers
      • Virtual Machine images
      • Optional Database backups

    • In the event of an escrow release trigger, the Deposited Materials will be released to the Beneficiary
    • For additional assurance of recovery, the Beneficiary may request for Escrow London to perform any the following verification tests:

      • SaaS Release Verification to confirm that the deposited cloud assets and source code are deployable to a newly provisioned cloud environment independent of the SaaS vendor. The Escrow London cloud engineers will document in detail the deployment process.
      • Comprehensive Build Verification of source code to provide assurance that the deposited source code is complete and may be used to compile the source code into a working version of the application.

  • SaaS Command & Control Continuity
    • Designed for Beneficiaries who have third party SaaS applications hosted within cloud accounts under their ownership. The SaaS vendor will still manage and maintain the SaaS application but will not possess ownership of the underlying cloud account.
    • Beneficiaries may wish to retain ownership of the cloud hosting account as it provides a seamless transition in the event of a trigger of the SaaS escrow agreement following a vendor failure.
    • The Beneficiary or Escrow London will provision a dedicated cloud account for the specific SaaS application under the legal ownership of the Beneficiary. The root level access credentials and MFA will be reset by Escrow London and stored until a release event.
    • Source code and deployment scripts may be included as an optional add-on to provide an additional layer of protection.
    • In the event of an escrow release trigger, the root level access credentials to the production environment and other cloud assets/documentation will be released to the Beneficiary. As the Beneficiary is already the legal cloud account owner, there will be no need to assign the account ownership from the SaaS vendor to the Beneficiary. The Beneficiary will have the rights to maintain and use the application hosted within the cloud account.
    • To provide additional assurance of recovery, the Beneficiary may request for Escrow London to perform any the following verification tests:

      • Monthly or quarterly update of the access credentials.
      • SaaS Release Verification to confirm that the deposited cloud assets and source code are deployable to the cloud environment independent of the SaaS vendor. The Escrow London cloud engineers will document in detail the deployment process.
      • Environment Verification to document the architecture and configuration of the cloud environment. The Escrow London engineers will work with the SaaS vendor to clearly document the cloud configuration and the procedures required to support and maintain the production environment.

SS2/21 highlights escrow as one of the measures that can be put in place to assist with business continuity plans and stressed exits. The PRA advises that “firms’ exit plans should cover stressed exits and be appropriately documented and tested as far as possible.”

The PRA continue to advise that “Firms should also actively consider temporary measures that can help ensure the ongoing provision of important business services following a disruption and/or a stressed exit, even if these are not suitable long-term solutions, (e.g. contractual or escrow arrangements), allowing for continued use of a service or technology for a transitional period following termination.”

The above Escrow London SaaS Continuity Escrow solutions meet the stringent standards required to ensure financial institution resilience in the face of stressed challenges such as a material failure of a SaaS vendor.  To learn more about our robust SaaS Continuity and Ransomware Escrow solutions and how they can assist your business with PRA compliance, please contact us.

##

About Escrow London

Escrow London is a global software escrow vendor headquartered in the United Kingdom. Our global coverage is provided across our London office, Escrow London North America Inc in Atlanta, and our Australian office in Sydney.

We have invested considerable resources into innovation to reinvent software escrow for a SaaS world. Escrow London provides a range of SaaS Continuity escrow solutions suitable for AWS, Microsoft Azure and Google Cloud hosted SaaS applications. We support a wide range of clients includes major banks, central banks, insurance firms, technology companies and government.