By Walt Williams
There is a saying among risk management professionals that you can outsource the task, but you can’t outsource the risk, according to Jaime Manriquez, CIO and CISO at Santa Cruz County Bank. “At the end of the day, the bank itself or the institution is still going to be responsible and accountable for whatever security breach they may have,” he explains.
That philosophy is pertinent when it comes to cloud adoption, as federal regulators have repeatedly stated that they expect banks to have third-party risk management frameworks in place when outsourcing technology services. Cloud providers may do the tasks, but it is banks that assume much of the risk.
“A lot of these tech companies don’t fully understand that,” Manriquez says. “So it is kind of ironic that, in some cases, we’re trying to hire bankers or regulators so they can teach them about the frameworks that we operate under.”
There are different strategies for approaching cloud services risk management. Santa Cruz County Bank uses a hybrid strategy in which it maintains responsibility for security. Other banks may outsource most of their functions to the cloud. There are few wrong or right answers when it comes to deciding which approach works best for an institution, and there are resources available to help banks make that choice.
“It pretty much goes back to what the business strategy is,” Manriquez says.
Federal focus
In 2022, U.S. Treasury Department officials started reaching out to bank executives from institutions of all sizes about how their institutions were using cloud computing and the challenges they faced, says John Carlson, SVP for cybersecurity regulation and resilience at ABA. Prior to Treasury focusing on cloud computing, the federal banking agencies had issued several advisories on cloud computing and conducted audits of major cloud service providers as part of a program to assess significant service providers that banks rely upon. Treasury officials wanted to know the benefits for banks in using cloud technology as well as some of its challenges. Their findings were outlined in a paper published the following year.
“When Treasury published their paper in February 2023, they laid out all these benefits, but also flagged a number of pretty significant challenges that financial institutions were encountering,” Carlson says. “Among those were insufficient transparency to support due diligence and monitoring by financial institutions, as well as exposure to potential operational incidents, including those originating at a cloud service provider, and also some concerns about the potential impact of market concentration.”
The Treasury Department created a steering committee with representatives from both the government and private sectors. The agency also partnered with the Financial Services Sector Coordinating Council, an industry-led organization of which ABA is a member. Those efforts led to the release last year of a suite of resources to enhance the relationship between cloud service providers and financial institutions. The resources were also meant to give regulators more confidence that those institutions were using cloud services safely and soundly.
Fine print
One of those resources was a 21-page document, titled “Financial Sector Cloud Outsourcing Issues and Considerations,” providing a non-exhaustive list of key considerations for developing contractual language with cloud service providers, specifically to address risk and supervisory and compliance expectations when using the services. For example: In those contracts, what rights and availability does a financial institution have to get information from the cloud provider?
“Even if you use a third party, whether it is an on-premise provider or a cloud provider, you as the institution still own the responsibility for compliance,” says Allen Brandt, chief privacy officer at Depository Trust and Clearing Corporation, who spoke about the paper during Cloud Security Alliance webinar in August.
“You cannot outsource your regulatory compliance. … What ability does the financial institution have to get information from the third party?”
Another consideration in contract language should be notification and reporting, he says. “We all have incident notification requirements. We potentially have things when you make material changes. And what type of reporting can the provider give to you, as the financial institution, [and] in what timely manner? Does it meet your regulatory requirements?”
Then there are roles and responsibilities. “What’s the responsibility of the cloud provider to maintain their piece? What’s yours?” Brandt says. “How do they interface together? How do you notify each other when there are incidents? How do you notify each other when there are changes?”
Testing for when things go wrong
Another area banks should consider when drafting contracts is what processes cloud service providers have in place for testing and resilience, says John McDonald, global head of cloud governance at Bank of America, who also participated in the CSA webinar. As an example, he points to the CrowdStrike outage in July, which caused widespread service disruptions at banks and many other sectors of the economy.
“When [a cloud service provider] has an outage, understanding the downstream impact on that is important, and that information is not consistently provided to financial service institutions who need to incorporate it into their business continuity testing and resilience programs,” McCloud says.
Banks need to understand how cloud service providers are testing for resiliency and what plans they have for bringing those services back online, he says. “And then you have to link that to what you can do as a customer, because there is a significant responsibility from a customer standpoint.”
Human resources
Manriquez — who is also a member of ABA’s Core Platforms Committee — stresses the need to establish clear contractual terms and responsibilities regarding security, incident response and data location. But after those contracts are signed, banks must continue to have regular meetings and open communication with cloud providers to stay up to date on product changes and strategic plans, he says.
“What we do in our case, with our Microsoft relationship, is we meet once a month,” he says. “We touch base on what’s working, what’s not working, what products do you guys have.”
Still, at the end of the day, the best advice Manriquez has for banks trying to manage their cloud risks is to invest in their workforce. “And what I mean by investing in their human capital is sending them to training, keeping their certificates current and also retaining and developing staff,” he says.
