As fintechs and financial services firms turn their attention to cloud technology, many are coming across challenges. These range from information sharing to best practices and beyond. Looking to simplify the cloud adoption journey for firms, the US Department of the Treasury and the Financial Services Sector Coordinating Council (FSSCC) has published a suite of resources.
The report seeks to provide firms of all sizes with different and effective practices for secure cloud adoption and operations. Some highlights include establishing a common lexicon that may be used by financial institutions and regulators in discussions regarding cloud. It also notes that there must be enhanced information sharing and coordination for the examination of cloud service providers.
Additionally, firms must assess existing authorities for cloud service provider (CSP) oversight. Similarly, they must establish best practices for third-party risk associated with cloud service providers, outsourcing, and due diligence processes to increase transparency. In doing so, they must also improve transparency and monitoring of cloud services for better ‘security by design’.
Lastly, the report notes that there must be a roadmap for institutions considering comprehensive or hybrid cloud adoption strategies including an update to the Financial Sector’s Cloud Profile.
Supporting adoption
These deliverables are the result of a year-long public-private partnership of the Financial and Banking Information Infrastructure Committee (FBIIC) and the FSSCC.
To provide leadership support for this joint effort the US Department of the Treasury established the Cloud Executive Steering Group (CESG) in May 2023. This was done at the direction of the Financial Stability Oversight Council (FSOC), to help close the gaps identified in Treasury’s report on the Financial Services Sector’s Adoption of Cloud Services.
Creating a resilient ecosystem
“The completion of these two efforts is the culmination of nearly two years of collaboration to further protect our financial system,” said Deputy Secretary of the Treasury, Wally Adeyemo. “The CESG is now a proven model and a new way for the financial services sector to effectively address our most significant cybersecurity challenges.”
“Our financial system is essential infrastructure for the entire economy, and it is deeply reliant on a handful of powerful big tech cloud service providers,” said Consumer Financial Protection Bureau (CFPB) director, Rohit Chopra. “Our work will help protect the financial industry from outages in addition to disruption by levelling the playing field between financial firms of all sizes and big cloud service providers.”
“Banks and other financial services firms know they must adapt to new technologies, but many have been uncertain as to how to do so safely and soundly,” said Michael J. Hsu Acting Comptroller of the Currency. “The publications mark a significant step forward by providing a roadmap and helpful resources for banks of all sizes. These documents also clarify cloud service providers’ responsibilities for ensuring a secure and resilient financial system.”
“These documents are an important step forward in the CESG’s effort to make the cloud safer and more resilient within and beyond the financial services industry,” said Bill Demchak, chairman and CEO, PNC Financial Services Group. “The strong partnership between public- and private-sector leaders allows us to take a more holistic, collaborative approach to defending against evolving threats.”
Putting in the groundwork and addressing challenges
The FSSCC and FBIIC led a variety of workstreams in an effort to establish greater understanding and preparation for cloud integration. Under joint FBIIC and FSSCC leadership, the US Treasury and FSSCC plan to also publish additional items related to cloud cyber incident response coordination and concentration risk as they are completed throughout the year.
Cloud Profile 2.0 (led by FSSCC)
The Cloud Profile 2.0, authored collectively by the FSSCC Cloud Profile Workstream and the Cyber Risk Institute (CRI), is intended to serve as a cloud security implementation plan for financial institutions of all sizes and functions.
The Cloud Profile 2.0 is an extension of the Cybersecurity Profile created by CRI. This is a tool based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework. It provides a framework for both financial institutions and CSPs and will serve as a common tool developed to assist financial institutions in ensuring secure cloud implementation, while allowing the document to evolve as standards change over time.
The Financial Sector Cloud Outsourcing Issues and Considerations document (led by FSSCC)
The Financial Sector Cloud Outsourcing Issues and Considerations document seeks to address challenges raised in the Treasury Cloud Report related to transparency, resource gaps, exposure to operational incidents originating at CSPs, and contract negotiation dynamics.
The document, authored collectively by the FSSCC Cloud Outsourcing Issues and Considerations Workstream and the American Bankers Association (ABA) with support from the Securities Industry and Financial Markets Association (SIFMA), identifies a non-exhaustive list of key considerations for developing contractual provisions between financial institutions and CSPs to address risks, regulatory and supervisory compliance expectations when using cloud services.
These key considerations should be used as a voluntary reference tool by financial institutions during the contract negotiation phase of onboarding a CSP to appropriately address cybersecurity, resilience, and third party-due diligence expectations, and to enable compliance with growing financial services regulatory requirements and supervisory expectations.
The Transparency and Monitoring for Better “Secure-by-Design” (led by FSSCC)
The Transparency and Monitoring for Better “Secure-by-Design” document, authored collectively by the FSSCC Transparency and Monitoring Secure-by-Design Workstream and the Financial Services Information Sharing and Analysis Center (FS-ISAC), is comprised of two outputs for financial institutions with workloads running in CSP environments.
The first is a service inter-dependency and resilience model that is a combination of service transparency, architecture best practices, and more detailed information about how a CSP manages the resiliency of its own services.
The second proposes packaged cloud configurations that provide baseline security outcomes expected in financial services infrastructure. Furthermore, it simplifies financial institutions’ deployment of CSP workloads (“security by default/design” and “one-click” security) that make is easy for financial institutions to quickly turn on secure infrastructure with minimal engineering.
The Cloud Lexicon (led by FBIIC)
The Cloud Lexicon is a foundational document that captures the most prominent terms used by cloud service providers and financial services sector consumers for a single repository and refence points. The development of the Cloud Lexicon was led by the Office of the Comptroller of the Currency (OCC), and will enable CSPs and financial services sector institutions of all sizes to speak in standardised terms when negotiating contract terms, establishing security schema, and adhering to regulatory standards.
The document is based on a review of publications from several standard setting bodies and industry associations, and included interviews and feedback from financial institutions, regulators, and CSPs.
The Coordinated Information Sharing and Examinations Initiative (led by FBIIC)
The Coordinated Information Sharing and Examinations Initiative, led by the CFPB, is a collaborative effort that addresses coordination of examinations and information sharing related to CSPs, under the respective agency’s legal authorities. The documented process will support enhanced coordination between agencies to monitor and address risks to both the financial sector and consumers that can arise from financial institutions’ engagement with CSPs.
This collective set of deliverables is intended to highlight opportunities to leverage CESG deliverables into the broader regulatory, oversight, and examination schema, and strengthen the shared responsibility model for cloud services provision in the financial services sector.