Head in the clouds

What’s next for ensuring the resilience of the critically important cloud service provider sector?

By John Carlson

Cloud service providers like Amazon Web Services and Microsoft’s Azure have changed the game for all kinds of computing and processing needs—in many cases accelerating innovation, technology uptime and speed to market. Financial services is no exception. Just how are banks employing cloud services—and what are the implications for the financial sector’s operational resilience?

On Feb. 8, the U.S. Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection released a paper on cloud computing. Treasury leadership commissioned the report to explore how the use of cloud service providers, or CSPs, may affect the financial sector’s resilience, and it includes a proposed action plan that may afford new opportunities for public-private sector collaboration.

How banks use CSPs

The primary drivers for the financial sector’s migration to cloud services include:

  • Faster development and scaling of new applications and services using cloud infrastructure and tools.
  • Competitive challenges and customer demands for digital financial products and partnerships with fintech firms.
  • Increased resilience to physical and cyber incidents.
  • Opportunity to retire legacy technology and reduce costs.
  • Expansion of IT infrastructure to support remote workers and customers’ use of digital financial services, accelerated during the COVID-19 pandemic and remaining at elevated levels ever since.

The paper also lays out key challenges financial institutions face when implementing and using cloud-based services, including:

  • Insufficient transparency from CSPs to support due diligence and monitoring by financial institutions.
  • Gaps in human capital and tools to securely deploy cloud services.
  • Exposure to potential operational incidents, including those originating at a CSP.
  • Potential impact of market concentration in cloud service offerings on the financial sector’s resilience.
  • Challenges negotiating contracts due to the concentration in the cloud computing market.
  • Regulatory fragmentation around the globe.

How will the U.S. government respond?

To address these key challenges, the paper proposes an action plan for Treasury. Key steps include establishing a cloud services steering group with the participation of U.S. federal financial regulators to promote closer domestic cooperation among regulators.

The action plan also emphasizes further engagement between banks and CSPs and the use of industry tabletop exercises, an important part of cyber incident readiness. The financial sector should review its sector-wide incident protocols in light of banks’ growing reliance on cloud services, and industry should develop appropriate measurements of cloud service dependencies across the sector and assess systemic concentration and related risks on a sector-wide basis.

Finally, given the international scale of CSP services, the paper recommends continuing to support the development of relevant standards and international policies at the G7, the Financial Stability Board and the international financial standard-setting bodies, as well as exploring ways to increase international collaboration and coordination on financial regulatory issues arising from cloud services.

What’s next?

Last year, Treasury sought input for this report from ABA staff, ABA member banks, and the major cloud services providers: Amazon Web Services, Microsoft Azure, Google Cloud, IBM. While the report does not impose any new requirements or standards applicable to regulated financial institutions, Treasury also engaged regulators from the Federal Reserve, FDIC and OCC in developing this paper. The federal banking agencies have authority under the Bank Service Company Act to examine CSPs and, as such, have gained expertise in evaluating security and operational risk controls through examinations. In addition, these agencies have issued supervisory guidance over the past decade that lay out expectations for how banks should manage CSPs as third-party providers.

As ABA continues to engage on CSP-related issues, it will convene a call for ABA members on March 1 at 2 p.m. ET to hear directly from the Treasury officials who prepared the report. The association will continue to engage with Treasury and financial regulators on many of the initiatives in the action plan through its leadership role on the Financial Services Sector Coordinating Council, where ABA SVP Paul Benda is vice chairman.

Recognizing that core processors also rely increasingly on CSPs, ABA will also engage core service providers through the ABA Core Platforms Committee. The association will continue to monitor commercial and regulatory developments in the cloud computing space, assess their effects on the banking industry, and develop resources to support banks’ exploration of and potential migration to cloud-based services, as warranted. Finally, ABA will continue to use the free Cyber Risk Institute Profile (which is aligned with the Cloud Security Alliance’s Cloud Capability Matrix) to reduce the time required to demonstrate compliance with regulatory requirements and cyber standards.

The role of cloud service providers continues to expand. This report marks an important evolution in how the Treasury, financial regulators, banks and CSPs address challenges in a collaborative manner.

John Carlson is VP for cybersecurity regulation and resilience at ABA.