The recent U.S. Department of the Treasury report highlights potential benefits and challenges associated with a growing trend amongst financial sector firms who are adopting cloud services.
Cloud technology can provide better access and reliability for local communities, while also enabling community banks to compete with financial technology firms. The report found, however, that Cloud Service Providers (CSPs) need to offer more visibility, staff support, and cybersecurity incident response engagements for these firms that are increasing their reliance on cloud-based technologies. Moreover, the report suggests that Treasury and the broader financial regulatory community should undertake further evaluation in order to understand the financial risks connected to using a small number of providers offering cloud services.
This report is the first of its kind and was created after months of collaboration with the Financial and Banking Information Infrastructure Committee (FBIIC) and with feedback from U.S. regulators, industry leaders, trade associations, and research centers. It does not impose any regulations or advocate for any specific cloud service provider.
Treasury reported that cloud technology could benefit financial organizations by making them more secure and resilient.
However, there were certain issues that posed a disadvantage, such as:
- Insufficient transparency to support due diligence and monitoring by financial institutions. Community banks have voiced their concerns about not receiving sufficient information regarding incidents or outages affecting their systems. It's important for financial institutions to have a comprehensive understanding of the risks involved with cloud services in order to establish appropriate consumer protections within their technology architecture. Although CSPs currently offer considerable information to financial institutions, the Treasury believes that additional efforts are necessary to establish an appropriate balance of information sharing between CSPs and financial institutions.
- Gaps in human capital and tools to securely deploy cloud services. There is a significant shortage of skilled professionals capable of assisting financial firms in customizing cloud services to enhance customer experiences and safeguard their data. Cloud service providers (CSPs) must increase their number of employee engagement experts and enhance their technological tools and adoption frameworks to ensure financial service firms can create and maintain secure, resilient platforms for their customers.
- Exposure to potential operational incidents, including those originating at a CSP. Financial institutions have raised concerns regarding the possibility of a cyber vulnerability or incident at a CSP having a cascading impact on the broader financial sector. While cloud services may offer benefits for security and resilience, institutions remain exposed to risks associated with technical vulnerabilities at CSPs and face practical challenges in mitigating these risks or transitioning to another provider.
- Potential impact of market concentration in cloud service offerings on the financial sector's resilience. The present market is focused on a limited number of CSPs, implying that an incident at one CSP could have a simultaneous impact on several clients in the financial sector. This concentration is expected to be present in banking, securities, and insurance markets. However, Treasury and financial regulators need to gather more data to evaluate the potential impact of such an event on the sector. Despite this, Treasury believes that there are possibilities for improving collaboration among financial regulators and between the public and private sectors.
- Dynamics in contract negotiations given market concentration. The limited availability of CSPs may result in an imbalanced bargaining power when negotiating contracts with financial institutions. This could potentially limit the ability of smaller financial institutions to secure beneficial terms for cloud services.
- International landscape and regulatory fragmentation. The varying regulatory and supervisory approaches to cloud technology around the world can make it difficult for U.S. financial institutions to adopt cloud technology on a global scale. This decreases the use of Cloud Service Providers (CSPs) in the market and raises the costs of cloud adoption strategies, which ultimately impacts consumers. Furthermore, changes in regulations in foreign countries may result in direct oversight of CSPs by foreign financial regulators, potentially creating regulatory conflicts that negatively impact the quality and security of services for all CSP clients.
The Treasury has created suggestions to help the financial sector safely and responsibly utilize cloud services. Collaboration with financial regulators, agencies, and CSPs will be ongoing to implement these recommendations. Additionally, an interagency Cloud Services Steering Group will be established within the next year to address the issues outlined in the report.
While the financial sector faces challenges in adopting cloud-based technology, the benefits are undeniable. As the US Treasury report shows, with proper risk management and collaboration between industry and regulators, the financial sector can leverage cloud-based technology to drive innovation and improve efficiency.
Contact Cryptomathic to hear how we can help your organization secure your cloud adoption and retain control of encryption.