Small banks struggle with cloud risk, providers
Banks are increasingly moving to the cloud, but small banks are at a distinct disadvantage in doing so, according to a federal working group.
For example, two small banks had cloud talent openings that went vacant for two years, didn’t negotiate audit rights into their contracts and lacked the ability to extract their data from the cloud. Those experiences were cited by an official at a U.S. Department of the Treasury event in July announcing the release of cloud adoption and configuration guides aimed at closing the sophistication gap between institutions like these and much larger banks.
The resources, published by several private-public groups working under the oversight of the U.S. Department of the Treasury in July, are intended to arm financial institutions with effective practices for secure cloud adoption. They address concerns around “transparency, resource gaps, exposure to operational incidents … and contract negotiation dynamics” that the Treasury identified in its 2023 report on cloud services. The working groups are specifically concerned about the ability of smaller institutions to meaningfully negotiate these important contracts with large enterprise tech companies such as Amazon.com and Microsoft Corp. and securely configure their clouds.
“As banks and other financial services firms migrate to the cloud, the probability of disruption and cyberattacks … can increase materially if effective controls are not implemented,” said Acting Comptroller of the Currency Michael Hsu at the July interagency event announcing the resources. “Banks and other financial services firms know they must adopt new technologies, but many have been uncertain about how to do so safely and soundly.”
Financial institutions are increasingly interested in adopting cloud technology as a more flexible or nimble option. Ninety-one percent of the financial industry had begun migrating to the cloud as of August 2023, up from 37% in August 2020, according to a 2023 Capgemini Research Institute report using survey data from 500 banking and insurance executives. But the actual migration has happened much slower: More than 50% of firms that Capgemini surveyed had “only moved a minimal portion of their core business applications to the cloud.”
Financial institutions can partner with vendors that offer cloud-native applications or services. They may also be interested in moving existing on-premise capabilities, processes or data into the cloud, or maintaining a hybrid environment between on-site and cloud resources. No matter what they choose, cloud environments require careful configuration and specific security protocols.
“The cloud environment has matured greatly, but not in a centralized way. The major players have developed their own platforms, their own security methodology for maintaining it — even some of their own standards and terminology that they’re telling banks,” says Ben LeClaire, a principal on the cybersecurity team at Plante Moran. This can make audits more complicated. “There’s a theme with regards to our efforts to audit cloud environments: Who is responsible for what? … Who’s responsible for overseeing the accessing and processing of certain information?”
The Treasury’s resources include a common lexicon of cloud terminology, enhanced information sharing and coordination to examine cloud service providers. There are also best practices to monitor the third-party risk associated with cloud service providers and a road map for full or hybrid cloud adoption. The group also plans to publish additional resources related to cloud cyber incident response coordination and cloud concentration risk.
Financial institutions can use those resources to conduct a risk assessment for their existing and future technology infrastructure — including cloud environments, says Jorge Rey, a principal in cybersecurity and compliance at Kaufman Rossin. This should include an inventory of on-premise security controls and the parallel cloud-based configurations, business continuity plans and how data might move in a hybrid environment. The risk assessment may include breach monitoring and protocols, as well as process improvements that the bank will use to identify and manage ongoing risks.
“A lot of times, what we see with smaller banks is that they treat the cloud as separate from their business or network, and don’t realize that there’s data that’s being moved from one place to another through APIs [application programming interfaces],” Rey says. “If they don’t fully understand the data flows, then protecting those data flows can become a little more challenging.”
A go-forward cloud strategy could include the risk assessment and Treasury’s separate cloud risk profile implementation plan, API configuration and monitoring, data mapping and flow information, and asset management of servers if a bank is using a hybrid environment. Rey also recommends that financial institutions select and specialize in one cloud provider as a way to simplify future vendor due diligence, technology implementation and configuration.
Banks should include some elements of artificial intelligence in their cloud risk assessments and strategy. Rey points out that most AI applications are hosted in cloud environments and clouds can more easily utilize AI functionality. Executives can prepare for that by increasing their knowledge and calibrating their risk tolerances now.
“It might be time for the banks to start saying, ‘This is where we’re headed strategically and we need to better understand our risk appetite,’” he says. “Then they can figure out the next steps.”
Read the full article at FinXTech.
Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.