Treasury launches interagency Cloud Services Steering Committee to bolster regulatory and private sector cooperation
WASHINGTON—The U.S. Department of the Treasury today released a report on the potential benefits and challenges associated with the increasing trend of financial sector firms adopting cloud services technology. While cloud services can increase access and reliability for local communities as well as empower community banks to compete with financial technology firms, the report found that financial service firms ramping up their reliance on cloud-based technologies need more visibility, staff support, and cybersecurity incident response engagement from Cloud Service Providers (CSPs). The report also recommends further evaluation from Treasury and the broader financial regulatory community to continue to determine the financial risks associated with a limited number of providers offering cloud services.
The first-of-its-kind report is the product of months of work in coordination with members of the Financial and Banking Information Infrastructure Committee (FBIIC) and was developed with extensive input from U.S. regulators, private sector stakeholders, trade associations, and think tanks. The report does not impose any requirements and does not endorse or discourage the use of any specific provider or cloud services.
“There is no question that providing consumers with secure and reliable financial services means greater demand for cloud-based technologies,” said Deputy Secretary of the Treasury Wally Adeyemo. “Treasury is committed to working with financial regulators, industry partners, and cloud service providers to drive greater collaboration and transparency. By building trust, cooperation, and collaboration at the outset, we can promote safe and effective migration for financial institutions that choose to adopt cloud services.”
In assessing the current state of cloud adoption in the financial sector, Treasury found that cloud services could help financial institutions become more resilient and secure, but that there were some significant challenges that could detract from these benefits. These include:
- Insufficient transparency to support due diligence and monitoring by financial institutions. Community banks expressed concerns that they do not often receive details of incidents or outages impacting their systems. It is essential that financial institutions fully understand risks associated with cloud services so they can build their technology architecture with appropriate protections for consumers. While recognizing that CSPs provide significant information to financial institutions already, Treasury believes that further efforts are needed to achieve the right balance of information sharing between CSPs and financial institutions.
- Gaps in human capital and tools to securely deploy cloud services. The current talent pool needed to help financial firms tailor cloud services to better serve their customers and protect their information is well below demand. CSPs need to increase employee engagement experts, and to improve supportive technological tools and adoption frameworks that can help ensure that financial service firms design and maintain resilient, secure platforms for their customers.
- Exposure to potential operational incidents, including those originating at a CSP. Many financial institutions have expressed concern that a cyber vulnerability or incident at one CSP may potentially have a cascading impact across the broader financial sector. While cloud services can have potential benefits for resilience and security, financial institutions are still exposed to risks associated with technical vulnerabilities at CSPs and face practical challenges to mitigating such risks or migrating their operations to another provider.
- Potential impact of market concentration in cloud service offerings on the financial sector’s resilience. The current market is concentrated around a small number of CSPs, which means that if an incident occurs at one CSP, it could affect many financial sector clients concurrently. This concentration likely exists across banking, securities, and insurance markets, but Treasury and the financial regulators need to close significant data gaps to assess how the sector might be affected by this type of incident. Nonetheless, Treasury believes that there are opportunities to enhance cooperation among financial regulators and between the public and private sectors.
- Dynamics in contract negotiations given market concentration. The limited number of CSPs may give CSPs outsized bargaining power when contracting with financial institutions. This outsized negotiating advantage could limit the ability of financial institutions, particularly smaller financial institutions, from negotiating advantageous contractual terms for cloud services.
- International landscape and regulatory fragmentation. The patchwork of global regulatory and supervisory approaches to cloud technology can make it nearly impossible for U.S. financial institutions to adopt cloud consistently at a global scale, reducing CSP use in the market and raising costs for cloud adoption strategies, which ultimately impacts consumers. Additionally, changes in regulations abroad may subject CSPs to direct oversight by foreign financial regulators, which could create regulatory conflicts negatively impacting the quality and security of services to all CSP clients.
As part of addressing these challenges head on, Treasury has developed recommendations that may assist the financial sector in realizing the benefits of cloud services in a way that is safe, secure, and responsible. To execute these recommendations, Treasury will continue working with U.S. financial regulators and other agency partners, as well as financial firms and CSPs. It is also launching an interagency Cloud Services Steering Group within the next year that will address a number of the issues identified in the report through:
- Closer domestic cooperation among U.S. regulators on cloud services.
- Additional tabletop exercises with the private sector.
- Development of best practices for cloud adoption frameworks and cloud contracts.