copebit works with a number of clients in the financial services industry, so we keep track of news regarding compliance with security requirements in this particular field. We are therefore happy to share that AWS has published a FINMA ISAE 3000 Type 2 attestation report. The report covers five important FINMA circulars:
- 2018/03 “Outsourcing – banks and insurers” (31.10.2019);
- 2008/21 “Operational Risks – Banks” – Principle 4 Technology Infrastructure (31.10.2019);
- 2008/21 “Operational Risks – Banks” – Appendix 3 Handling of electronic Client Identifying Data (31.10.2019);
- 2013/03 “Auditing” (04.11.2020) – Information Technology (21.04.2020);
- Business Continuity Management (BCM) minimum standards proposed by the Swiss Insurance Association (01.06.2015) and Swiss Bankers Association (29.08.2013);
Conducted by a third-party auditor, the FINMA ISAE 3000 Type 2 report provides additional assurance that the design and internal controls in the AWS Cloud adhere to FINMA (the Swiss Financial Market Supervisory Authority) requirements, which pertain to regulated financial services clientele. These controls mitigate operational risks along with risks associated with outsourcing and business continuity management. Included as well are guidelines on complementary user entity controls (CUECs), which are essential for helping customers comply with FINMA’s control objectives. The FINMA report covers the period from 4/1/2020 to 9/30/2020 and includes 124 AWS services and 22 global Regions.
The full report may be found here. Furthermore, the copebit team suggests that financial services clients download an additional FINMA report from AWS Artifact. Our team has learned that AWS Artifact provides a useful mapping of the FINMA reports, including the details of a vendor’s CUECs, the Well-Architected Review on the customer’s side, and the config mappings for the security statements.
Marco is a managing partner at copebit. He got seven AWS certifications. He has spent three years in Australia and has worked with AWS and DevOps technologies for the last 6 years.