By Noah Kessler
The widespread use of cloud service providers in the financial services industry continues to increase. According to a recent study by the Cloud Security Alliance, 91 percent of financial services organizations are actively using cloud services or plan to employ them within six to nine months. That is double the number reported four years ago.
After having evaluated the benefits, large financial institutions are embracing the cloud, resulting in its exponential growth in the industry. While the cloud delivers a raft of benefits, the pace of cloud adoption also has raised questions regarding the efficacy of risk management and compliance practices within CSPs. However, CSPs are well-positioned and highly experienced in practicing effective risk management. Mature and robust risk management practices and processes are embedded in every vertical and product line in leading CSPs.
Regulators, who regard CSPs as emerging technology organizations (in the same category as fintech and regtech companies), have been publishing guidance on the use of these various technology organizations and providers for nearly a decade. Until recently, however, the guidance has not been very detailed.
Ultimately, the burden of providing regulators with greater comfort regarding the use of CSPs rests with the regulated financial services industry. The challenge is to prove to the regulators that CSPs and the financial services firms that use them understand and have effective risk management.
As cloud adoption in the financial services industry has increased, regulators are becoming more knowledgeable about how firms are relying on CSPs without sacrificing the rigor required in risk management and compliance practices.
Current perceptions—strengths and opportunities
Financial regulators generally focus on risk issues related to the safety and soundness of an institution as well as protection for its customers. In their attention to those priorities, regulators increasingly recognize how CSPs are supporting the security controls of financial services organizations by enabling a complete, real-time inventory of assets and how they are protected.
Cloud technology directly addresses the security concerns of regulators and others while providing significant operating benefits. Moving data and services from a bank’s dedicated legacy infrastructure to a multi-tenant cloud environment, if properly configured, can provide additional layers of security for the institution and decrease its systemic risk.
CSPs are world-class experts in security and protection, with highly skilled teams dedicated to ensuring privacy and effective controls. Amid the surge in cyber-attacks in recent years, financial institutions understand the difficulty of achieving the scale of what CSPs are investing in security internally.
Through the greater processing capacity and power that CSPs deliver, financial services firms can release new cutting-edge technologies much faster. They can also save money by moving from a fixed-cost to a variable-cost basis.
Because they serve multiple customers, CSPs’ scale provides cost savings. CSPs use that scale to keep their systems on the cutting edge of technology, providing the latest in infrastructure and security. Financial services institutions, on the other hand, often are trapped in legacy architecture that can necessitate an inefficient use of computing power and data storage. Smaller banks, in particular, may lack the capacity to hire the highest-caliber technology resources or be able to convert to newer technologies.
Regulators have come to appreciate that the basket of risk for financial services organizations has shifted and, in many cases, diminished with the advent of CSP involvement. In particular, they note the benefits of end-to-end security and remain attentive to coordination of incident responses between CSPs and financial services institutions.
However, regulators have questions about the overall risk management approach and practices among CSPs, which tend to differ from that of financial institutions, with which regulators have a high level of familiarity.
Regulators and examiners need to consider whether the questions they ask of financial services institutions still make sense in the context of cloud-based services and whether they might have to modify some of these as their understanding expands.
A robust risk management approach
A systemic relationship prevails between the banking community and CSPs. Just as with any third-party service provider, regulators recognize that if a CSP suffers a significant adverse event, a trickle-down effect could impact the banks.
CSPs’ robust risk management practices are evident when assessing them on operational resilience, risk controls, lines of defense, automation and innovation.
Focus on operational resilience
A critical component of risk management in financial services is operational resilience. Regulators have been very clear that operational resilience plans must account for firms’ material use of third-party providers.
Roles and responsibilities need to be delineated clearly between financial services institutions and the CSPs they use—typically referred to as a shared responsibility model. A clear contract that details the activities and obligations of each party is necessary. In the eyes of the regulators, any issue that arises ultimately is the responsibility of the financial institution.
CSPs cannot assess the criticality of a service for a financial institution. For example, a CSP wouldn’t know if a workload is so significant that it underpins a bank’s payment system. The criticality rating must be relayed to the examiners by the financial institution.
Although every CSP with which a financial institution has a relationship is responsible for a piece of operational resilience, banks must apply that shared responsibility model to systems placed in the cloud. Additionally, interdependencies between services present potential risks. If there were an outage for one service, it might have downstream effects on others.
Resilience poses further questions. Regulators may ask how the bank deploys a resilient architecture for its workloads on the CSP’s infrastructure. Regulators must understand the measures that the bank has taken to protect its resilience when parts of a CSP’s infrastructure are not available.
Above all, using and relying on a CSP that provides resilient and fault-tolerant infrastructure and services does not mean that the financial institution has abdicated responsibility around resilience. Regardless of what CSP an organization is using, it is the responsibility of that organization to manage its own space within the cloud. Systems in the cloud that are not architected properly will not enjoy the benefit of the CSP’s resilience advantages and could raise red flags for regulators.
Focus on risk management and controls
Leading CSPs employ robust risk management and compliance practices comparable to those of financial institutions. They just do so with a different approach and model (bottom-up and top-down, or 360 degrees) compared to financial institutions (top-down). Regulators are far more familiar with the model employed by financial institutions.
Within CSPs, a pervading culture of ownership drives risk management. Although governance reporting flows to senior leadership, as expected by regulators in terms of oversight, service and product teams still retain a high amount of accountability.
In a belt-and-suspenders approach, executive management oversees the commonalities while each service is essentially treated as its own business unit. That independence provides the flexibility to develop processes and operations that best support the needs of each service. Although the chief information security officer puts in place security guardrails, these groups are empowered to do what makes the most sense for their products.
Typical dimensions of risk mitigation differences are illustrated in the following examples:
Architecture. CSPs anticipate failure of hardware and software by building in automated resilience; financial institutions focus on resilience through traditional disaster recovery sites, requiring human intervention.
Service delivery. CSPs conduct service requests via application programming interfaces; financial institutions conduct service requests via human workflow.
Operability. CSPs’ programmatic and automated operations require fewer human operators as demand increases; within financial institutions, human-intensive operations grow linearly with demand.
The shared responsibility model outlines certain aspects for which the CSP is responsible and others for which their clients are. For instance, while the CSP may provide an API for a customer’s access to storage devices, the CSP won’t be responsible for the data the customer puts there. Its controls are intended to provide only virtual segmentation of the customer’s data and the physical environment networking around it, as well as to prevent attackers from accessing it through the CSP’s network. It remains the role of the customer to protect access to that data through proper controls and encryption.
Focus on the three lines of defense
The three lines of defense model–management/business line, risk and compliance oversight, and internal audit–is an accepted framework in financial services and other industries. This model defines responsibilities for management, risk oversight and independent assurance. CSPs employ the same model:
First line. Product development teams create and manage cloud services. These teams are comparable to a bank’s business lines and they focus on areas like security practices, capacity and availability. Each is responsible for owning its risk activities, as well as for understanding how its function interacts with other services.
Second line. Compliance or security assurance groups, comparable to the risk or compliance function in a financial institution, are in place at CSPs. The second line governance reporting oversees the enforcement of the teams’ risk management at a detailed level. Second line staff in a CSP, who are typically engineers and security experts, provide continuous validation checks to ensure service teams are meeting a high bar for security and operational resilience. Other formal groups conduct penetration testing, security reviews and onboard services into different client programs.
Third line. A robust internal audit function in CSPs is comparable to the internal audit department in financial firms. Large customer audit teams operate within the CSP. To a greater extent than banks, they release dozens of assurance reports on a regular basis to provide evidence of their control posture. CSPs are also heavily audited by third parties in terms of their standards, controls and processes.
Focus on automation
CSPs use advanced automation in their risk management and compliance practices, minimizing manual controls. That helps CSPs to provide services at scale, such as detecting and alleviating security events rapidly, redirecting traffic, or load balancing.
Automated controls generate significant benefits, including improved accuracy, a clear audit trail, centralization and harmonization among organizational silos, such as finance and risk. Thus, CSPs are able to address certain technology concerns more effectively than financial institutions, including always-patched databases, deep and comprehensive logging, one-click threat analysis, and access to multiple geographic regions for resource deployment. Financial institutions benefit from CSPs’ automated collection of evidence and mapping.
Automated services continuously collect and organize IT configuration and logs in a streamlined fashion, which can then be delivered to the bank’s risk management group.
Another great power of the cloud is automated compliance. Rather than standard on-premise practice of a manual process that an infrastructure team must configure, CSPs use code to automate compliance controls, guaranteeing consistency and comprehensiveness.
Focus on innovation
Cloud service providers are among the top innovators in the world. They continuously use leading-edge technologies to drive effective risk management. Century-old financial institutions may be slowed by a legacy organizational structure based around risk and control. CSPs, which don’t have legacy debt or business incentives to keep over time, are willing to build more efficiently from scratch and remain more efficient over the long run. The CSP, armed with new ideas, can deliver its products much faster than traditional banks can.
Since the onset of the COVID-19 global pandemic, financial institutions have accelerated their use of cloud capabilities, to support remote work, customer service and higher transaction volume. Meanwhile, regulators have become more cognizant of how CSPs work and more comfortable with their risk management practices.
When it comes to risk management, one of the stark differences between a CSP and a financial institution is that a CSP has the ability to empower its employees to be innovative in terms of managing risk.
The overarching goal of the regulators remains the safety and soundness of their supervised financial institution, along with the protection of the end customer. As regulators grow increasingly familiar with the new efficiencies and culture of the cloud service provider industry, there should be increasing customization in their oversight of CSPs.
Noah Kessler, managing director at Protiviti, can be reached at [email protected].