The Treasury Department issued a report regarding the benefits and challenges associated with the use of cloud service providers (CSPs) by financial sector firms, finding shortcomings related to transparency, staff support, and cybersecurity incident response.
Cloud computing, as defined in the report, is “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or CSP interaction.” Service models range from software-as-a-service, platform-as-a-service, or infrastructure-as-a-service, all with varying amounts of control by the financial institution and the CSP.
The benefits of cloud services for the financial services industry are generally accepted. CSPs can provide clients with redundancy for systems that allow for continuity of service in case one portion of the system fails. They can supply scalable resources that enable clients to ramp up or down services quickly and efficiently. They offer security for services provided, although this benefit varies from provider to provider. And they allow clients to forgo the purchase of expensive information technology hardware and equipment.
“There is no question that providing consumers with secure and reliable financial services means greater demand for cloud-based technologies,” said Deputy Secretary of the Treasury Wally Adeyemo in a press release Wednesday. “Treasury is committed to working with financial regulators, industry partners, and cloud service providers to drive greater collaboration and transparency. By building trust, cooperation, and collaboration at the outset, we can promote safe and effective migration for financial institutions that choose to adopt cloud services.”
The agency’s report found financial institutions have adopted cloud services most commonly to facilitate remote work and operate banking and trading platforms that support internal operations and business line functions. However, the Treasury also identified issues with CSPs, particularly for small- and mid-sized firms.
Cloud services provide inadequate transparency to support due diligence and monitoring by financial institutions and are negatively affected by gaps in human capital and tools necessary for secure deployment; the relatively small number of CSPs, meaning a cyber incident at one CSP could potentially affect many financial institutions at once; and patchwork global regulations that make it nearly impossible for U.S.-based firms to adopt cloud services consistently at a global scale, the report said.
The Treasury recommended ways to address the problems it outlined, including the promotion of closer U.S. regulator cooperation on cloud services, conducting tabletop exercises with industry, reviewing sector-wide incident protocols, appropriately measuring cloud service dependencies across sector and assessing systemic concentration and related risks on a sector-wide basis, and identifying how to foster effective risk management practices in the financial services industry.