Fortified In The Cloud - The Risk Management Strengths of Cloud Service Providers for the Financial Services Industry
Cloud is on the rise in financial services and regulators are taking note.
The widespread use of cloud service providers (CSPs) in the financial services industry continues to grow. According to a recent study by the Cloud Security Alliance (CSA), 91% of financial services organisations are actively using cloud services today or plan to employ them within six to nine months. That is double the number reported in CSA’s prior study on this topic from four years ago.
After having evaluated the benefits, large, well-known financial institutions are embracing the cloud, resulting in its exponential growth in the industry. While the cloud delivers a raft of benefits, the pace of cloud adoption in the industry also has provoked questions regarding the efficacy of risk management and compliance practices within CSPs. However, CSPs are well-positioned and, in fact, when it comes to the cloud, highly experienced in practicing effective risk management. As we detail in this paper, mature and robust risk management practices and processes are embedded in every vertical and product line in leading CSPs, frequently aligning with the traditional three lines of defense in financial services institutions: management control, risk and compliance oversight, and internal audit.
Regulators, who count CSPs among a broad category of emerging technology organisations that also includes fintechs and regtechs, among other companies, have been publishing guidance on the use of these various technology organisations and providers for nearly a decade. Until recently, however, this guidance has not been very detailed.
Ultimately, the burden of providing regulators with greater comfort regarding the use of CSPs rests with the regulated financial services industry. The challenge with emerging technologies, including cloud, is to prove to the regulators that CSPs and the financial services firms that use them really do understand and have accounted for effective risk management in their organisations.
At the same time, regulators are still developing and introducing guidelines for how best to examine organisations like CSPs. In 2020, for example, the Federal Financial Institutions Examination Council (FFIEC) released its guidance around cloud computing. The CSPs themselves, as well as independent third party groups such as the CSA and the Center for Internet Security, had previously recommended similar guidelines.
The bottom line is that as cloud adoption in the financial services industry has increased, regulators are becoming more knowledgeable about how financial institutions are relying on CSPs without sacrificing the rigor required in risk management and compliance practices within the financial services industry.
Mature and robust risk management practices and processes are embedded in every vertical and product line in leading CSPs, frequently aligning with the traditional three lines of defense in financial services institutions.
“Cloud service providers have completely disrupted financial institutions' ability to deliver cost-effective digital experiences that are both secure and scalable. Cloud service providers pride themselves on their cutting-edge security, governance and risk management techniques, and financial institutions that are architecting cloud environments with an understanding of the various cloud shared responsibility models are greatly benefiting.”
Keep in mind that in the eyes of the regulators, any issue that arises ultimately is the responsibility of the financial institution. That risk ups the ante on financial institutions’ third party risk management programmes and the need to provide evidence of management of third party risks.
Within a CSP, similar to financial institutions, independent credible challenge is performed to ensure that product and service teams are accountable. Separately, a CISO is responsible for overall plenary security in the cloud.
CSPs are among the top innovators in the world. They continuously leverage leading-edge technologies and automation to drive effective risk management.
Regulatory engagements with CSPs increasingly reflect regulators’ growing understanding not only of the benefits and risks of cloud computing services, but also of how CSPs effectively operate their risk management and compliance programmes. When it comes to risk management, one of the stark differences between a CSP and a financial institution is that a CSP has the ability to empower its employees to be innovative in terms of managing risk.
Since the onset of the COVID-19 global pandemic, financial institutions have accelerated their use of cloud capabilities to support scale up, remote work, customer service and higher transaction volume. At the same time, regulators have become more conversant with how CSPs work and more comfortable with their risk management practices.
The overarching goal of the regulators remains the safety and soundness of their supervised financial institution, along with the protection of the end customer. As regulators grow increasingly familiar with the new efficiencies and culture of the cloud service provider industry, there should be increasing customisation in their oversight of CSPs.