Banks enhance assessment of cloud services providers as federal agencies increase focus

Federal agencies are tackling the broader cloud infrastructure and security issues impacting financial institutions, but banks will have to deal individually with many of the issues a recent Treasury report identifies.

By John Hintze

Cloud computing has been a major plus to organizations including financial institutions, cutting costs and quickly providing new and improved services to customers and the ability to scale them up rapidly. However, it is a still new and rapidly growing service offered by relatively few cloud service providers in which there remains significant risks, especially for highly regulated institutions such as banks.

This year has seen federal agencies actively address the risks and rewards of cloud computing, starting with the Treasury Department publishing a detailed report in February that updates how the financial industry is using the cloud, the challenges it presents, and the current regulatory framework. In March, the Biden Administration published its “National Cybersecurity Strategy,” in which improving cloud security is a priority. The same month, the Federal Trade Commission issued a request for information in search of market-participants’ input about the competitive dynamics of cloud computing, their reliance on it, and the related security risks.

“Large parts of the economy now rely on cloud computing services for a range of services,” said Stephanie T. Nguyen, the FTC’s CTO, in a statement. “The RFI is aimed at better understanding the impact of this reliance, the broader competitive dynamics in cloud computing and potential security risks in the use of cloud.”

In a June response to the FTC’s RFI, the American Bankers Association discussed the cloud-related issues banks face, and it made several recommendations, including that the FTC leverage the work of the Treasury Department and federal banking agencies. At ABA’s recent Risk and Compliance Conference, bankers discussed in detail the practical challenges they face in adopting and maintaining cloud services.

Where Treasury sees cloud risks

The Treasury Department’s report, “The Financial Services Sector’s Adoption of Cloud Services,” which includes input from numerous ABA members, outlines six key challenges:

  • Insufficient transparency from CSPs to support financial institutions’ due diligence and monitoring
  • Gaps in hiring and tools to securely offer cloud services
  • Potential operational incidents, including CSPs
  • Concentration in cloud service offerings affecting financial sector resilience
  • Negotiating contracts
  • Regulatory fragmentation globally

“We think it’s a very solid document and agree with its conclusions,” said John Carlson, VP, cybersecurity regulation and resilience, at ABA. “Importantly, it provides a path forward in terms of the work plan and the opportunity to be involved in dialogue with the CSPs, other financial institutions and regulators to address the identified issues.”

The Treasury report’s “action plan” to address the issues includes a public-private steering group launched May 25. The several workstreams it will focus on include documenting effective practices for cloud third-party risk; outsourcing and due diligence processes to increase transparency; hybrid cloud adoption strategies; improving transparency; and establishing a common set of terms and definitions to be used by financial institutions and regulators.

ABA highlights specific cloud risks

ABA’s FTC comment letter zeroes in on concentration risk and vendor “lock-in” risk, in which CSPs make it difficult and costly for banks and their third-party providers to move to another CSP, as complex issues that should be addressed in coordination with the Treasury Department and other financial regulators.

“The ABA reminds the FTC that banks are required to develop exit strategies for critical service providers,” ABA notes, and while ABA members acknowledge that is their responsibility, “there is growing concern that the market control exercised by CSPs poses a challenge for banks to comply with this requirement.”

Federal banking agencies have made it clear, the letter continues, that banks outsourcing an activity to a third party, such as a CSP, are still responsible for performing that activity in a safe and sound manner and in compliance with applicable laws and regulations. They must also perform ongoing monitoring of the third party’s financial condition, senior management qualifications, and risk-management program.

“The ABA encourages CSPs to design and deliver services that meet regulatory requirements for cybersecurity and third-party risk management,” the letter says, adding that ABA members complain about CSPs providing insufficient compliance with banks’ requirements.

Banks face more specific challenges

Federal agencies are tackling the broader cloud infrastructure and security issues impacting financial institutions, but banks will have to deal individually with many of the issues the Treasury report identifies. The Cloud Security Alliance June 5 report, “State of Financial Services in Cloud,” noted that just 28 percent of respondents use public cloud services for most of their regulated workloads, mostly due to CSP’s lack of transparency and respondents’ inability to demonstrate compliance to auditors and their insufficient cyber security resources.

Those hurdles, and often limited power in negotiating contracts with CSPs, are especially challenging for small and medium-size banks. David Ackley, SVP, director of information security and enterprise risk management, at $6 billion-asset Camden National Bank, said his bank is picking and choosing its battles. Discussing the issue at the conference, Ackley pointed to retention of the bank’s data and vague data-anonymization clauses as key issues.

“The bank has to be very specific about how it will allow [the CSP]to use the data and for how long it can keep it,” Ackley said, as well as understanding the CSP’s controls over who can access the data, whether internally or a fourth-party vendor that the CSP uses. “Understanding the quality of the CSP’s own vendor program and how it vets its fourth parties is crucially important.”

Ensuring the CSP is following through on contractual language requires auditing rights, but that language can be overly restrictive, Ackley said. So banks must set out their audit expectations in the contractual language or risk poor CSP responses to audit requests.

“In the end, the bank needs to be able to access the data and the information about the controls at the data centers where the bank’s data is stored,” he said.

Ackley said another important resource when performing due diligence on vendors, whether in the cloud space or other areas, is the reports of examinations of CSPs by the three federal banking agencies. Carlson added that the federal banking agencies have authority under the Bank Service Company Act to examine significant service providers including CSPs that depository institutions rely upon and then share the reports of examination with banks that have active contracts with service providers. The federal banking agencies often state that these reports of examination are not a substitute for banks conducting their own due diligence of service providers.

“It’s been an eye opener in some cases on the vendor side for us,” Ackley said, adding that there’s a relatively painless process to retrieve those reports from a bank’s examiner that generally includes providing proof that the bank uses the vendor. “It provides a wealth of information you wouldn’t get otherwise.”

Carlson, who moderated the conference session, said that federal banking regulators have examined for some time the non-depository institutions that are significant service providers to banks, and more recently they’ve expanded the program to include CSPs.

The session participants acknowledged that due diligence of CSPs differs from traditional vendors, in part because CSPs are relatively new to the financial-services arena and may not understand or have the capacity yet to provide their services in ways that facilitate bank regulatory compliance. However, if a CSP declines to explain where the bank’s data is being stored or provide other key information in the due diligence process, then the bank should probably look elsewhere.

“That’s a giant red flag. The bank needs to be prepared in those cases to say ‘no’ to a vendor who is not meeting the standards it has as a bank,” Ackley said.

Noting regulators raising the bar in terms of banks meeting regulatory compliance requirements when dealing with CSPs, Carlson asked the session participants what kind of framework they use when considering cloud products.

Mike Ambrosius, VP, chief technology risk officer at Cenlar FSB, said that when his institution began its cloud journey a few years back, it looked at a wide variety of information, including the National Institute of Standards and Technology framework, Microsoft’s cloud computing guides, the Office of the Comptroller of the Currency’s guidance on adopting new products and services, as well as OCC consent orders written against institutions that had run into trouble.

“We made sure we didn’t hit those stumbling blocks,” Ambrosius said. “We looked at a lot of the information out there to make sure what we did was at maximum safe speed as we went through our journey.”

For further insight, please see this article from earlier this year by ABA’s John Carlson.

John Hintze is a frequent contributor to ABA Banking Journal.