How to become a cloud officer?

This training aims to provide an introduction to the main regulatory requirements related to cloud outsourcing arrangements as defined by the CSSF circular 22/806 with a specific focus on the role of the cloud officer. In addition, it will address the practical implications of adopting cloud solutions while complying with the main provisions. The goal is to enable the CSSF-supervised entities to increase their comfort level in relation to cloud specific regulations in order to support their digital transformation process.

This training course is designed as an essential step to assist participants in addressing the following challenges, among others:

• What are the main responsibilities as a cloud officer?
• What are the key regulatory considerations you should know prior to your cloud outsourcing project?
• What are the key aspects you should know about your service providers?
• Which elements should be considered to conclude the materiality of your outsourcing arrangements?
• When should the competent authority be informed? What procedure should be followed?
• Where should the data centres be located?
• Which party is responsible for ensuring data and systems security in the context of a shared security model?
• What are the key contractual obligations of your service providers?
• What are the key technical aspects to be considered when adopting cloud solutions?
• What are the training resources provided by the service providers?

By the end of this training, participants will be able to:

• understand the main provisions related to cloud outsourcing arrangements as defined by the CSSF circular 22/806;
• describe the different governance models supporting IT outsourcing;
• explain the role and responsibilities of a cloud officer;
• identify the key considerations with regard to Cloud Service Providers (CSP);
• identify the main aspects of managing cloud risks, particularly in the context of a "shared security model";
• describe the key documentation requirements.

Compliance considerations and practical implications

• Evolution of regulatory landscape
• IT outsourcing vs. cloud computing outsourcing
• Main requirements of CSSF 22/806 with a focus on cloud outsourcing arrangements
• Role and responsibilities of a cloud officer
• Cloud and professional secrecy requirements
• CSSF notification request process (i.e. CSSF notification form for material IT activities)
• Regulatory guidance on the key documentation to maintain (incl. criticality assessment, due diligence, risk assessment, cloud register)

Key considerations for software and Cloud Solution Providers

• Landscape of cloud services offering (including cloud services models, cloud deployment models)
• Popular solutions observed in the market
• Managing outsourcing and cloud risks in a context of shared security model
• Contractual clauses and financial service compliance
• Cloud adoption - Prerequisites and way forward approach

This training is coordinated by Adam Tymofiejewicz, Director and Xiaoyi Fang, Senior Manager at PwC Luxembourg.

Adam Tymofiejewicz is a director in technology consulting with more than 14 years of experience in organisational management, operational excellence and performance management. He helps private sector as well as Pan-European public sector clients to align IT organisation and architecture with their business strategy in the most effective way. He is experienced in consulting and providing solutions related to operational and strategic organisations' effectiveness and has worked for EU institutions and agencies.

Xiaoyi Fang is a senior manager with in-depth experience in implementing European regulatory requirements, in reviewing the compliance framework for financial institutions and familiar with EU regulatory process in financial services. She has driven and contributed to a number of projects in complex structure and dynamic environments.