By John Carlson and Joshua Hubbard
Cloud adoption among banks is increasing for many good reasons. These include: swifter development and scaling of new online applications and services, customer demand for digital financial products and partnerships with fintech firms, increased cybersecurity and operational resilience, opportunity to retire legacy technology, reduced capital expenditures, expansion of IT infrastructure to support remote/hybrid workers and customers’ use of digital financial service applications and channels, and ease of meeting international data residency requirements.
But as the Treasury highlighted in a 2023 report, financial institutions face challenges when deploying cloud services. (See ABA Banking Journal article from Feb. 9, 2023: What’s next for ensuring the resilience of the critically important cloud service provider sector?) These include: heightened exposure to potential operational incidents originating from cloud service providers (CSPs) and their deployment of AI, heightened risk and elevated impact of customer misconfigurations associated with the shared responsibility model, insufficient transparency to support due diligence and monitoring by financial institutions, gaps in human capital and tools necessary for deploying cloud services, potential impact of market concentration in cloud service offerings on the sector’s resilience and dynamics in contract negotiations given market concentration.
In response to national concerns of risks from cloud services to financial institutions, the Treasury, several regulatory agency heads and senior executives from financial institutions launched the Cloud Executive Steering Group, a public-private partnership designed “to arm financial institutions with effective practices for secure cloud adoption.” The American Bankers Association, Financial Services Coordinating Council (FSSCC), Securities Industry and Financial Markets Association (SIFMA) and dozens of financial institutions launched a collaboration to help banks and other financial associations mitigate these challenges, through the development of new tools and frameworks intended to drive improvements with major cloud service providers.
One of the key deliverables from this public-private sector collaboration is the publication of a voluntary reference tool on key considerations for developing contractual provisions between financial institutions and cloud service providers to address the risks identified by the Treasury, as well as meet expanding regulatory and supervisory expectations in this area.
The 21-page tool covers 16 sections:
- Audit (by FIs and regulators)
- Supply chain risk management
- Data and security
- Data location and usage by CSPs
- Notification and reporting
- Operational changes to services
- Service dependencies
- Service deprecation
- Indirect cloud exposure
- Roles and responsibilities
- Termination and exit
- Business continuity
- Testing and resilience exercises
- Operational and legal changes to services
- Indemnities
- Limitations on liability
The tool also includes specific references to regulatory and supervisory expectations in order to demonstrate why financial institutions need this information and assurances, or risk being out of compliance. Here are samples of how the risks and mitigation recommendations are articulated in three of these 16 categories:
Audit
Risk description
- Without sufficient audit rights, FI customers are unable to obtain information from CSPs to validate existing controls, evaluate potential risks associated with the use of cloud services and to support development of mitigating controls.
Mitigation recommendation
- CSPs should provide each of their FI customers direct access to all key facilities through an onsite or virtual audit and its material subcontractors on at least an annual basis.
- The audit rights should allow the FI customer to review evidence related to the entire control framework operated by the CSP and include inspection of physical facilities.
- Use of “pooled audits” may provide helpful information to FIs if properly scoped. However, FIs should reserve the right for follow-up from pooled audits to address risks that are specific to FIs.
Notification
Risk description
- CSPs do not provide a consistent methodology for notifying FI customers of service availability or security incidents. The method and delivery for the Root Cause Analysis (RCA) at the conclusion of the incident is not consistent, and in many cases is provided only with a specific level of paid support.
Mitigation recommendation
- CSPs should provide FIs with a communication method for all incidents, regardless of their financial commitment to a support plan.
- RCAs for any service availability incident should be proactively provided to all FIs within disclosure, notification and reporting timeframes and the CSPs should be available to discuss the RCA with FIs, if requested.
- For CSP security incidents that have material FI impacts, there should be an agreed upon notification timeline consistent with the FI’s regulatory obligations.
- CSPs should provide historical outage information, when requested
Service dependencies
Risk description
- CSPs do not provide a complete list of all service dependencies for each service they provide to customers which prevents FIs from understanding how their architecture should be designed to address service unavailability and how incident playbooks should be designed to understand the downstream impacts of one services outage impact on another.
Mitigation recommendation
- CSPs should develop a common model for disclosure to complement the overall resiliency design of each service.
- CSPs should provide a detailed description of each primary service, including control and data plane design, service type design and all secondary service dependencies in their published service documentation.
- CSPs should provide evidence of service testing and resiliency exercises to FI customers.
The ABA, FSSCC, SIFMA and financial institutions sought input from the four major cloud services providers – Amazon Web Services, Google Cloud, IBM and Microsoft Azure. Most of the cloud service providers offered thoughtful comments and suggestions, which the financial services team incorporated into the final tool. Some of the cloud service providers have publicly embraced these recommendations, whereas others have quietly incorporated them into product offerings.
By using this tool, banks can enhance their security and resiliency posture when adopting cloud services, while also continuing to signal to cloud service providers the importance of offering products, services and the required transparency to enable financial institutions to effectively address key risks and meet a broad range of regulatory and supervisory expectations.
“This tool is an important step forward in the financial sector’s public-private sector collaboration to make the cloud safer and more resilient within the financial services industry,” says Deborah Guild, executive vice president and head of technology for PNC Financial Services Group and chair of the Financial Services Sector Coordinating Council. “In the year since we published this tool I am encouraged by the fact that financial institutions are using it and cloud service providers are incorporating the recommendations in their offerings.”
John Carlson is SVP for cybersecurity regulation and resilience at ABA. Joshua Hubbard is program manager, cybersecurity at ABA.
