Under the cloud of regulators
18 December 2017
Regulators may demand operational risk oversight of cloud operators to satisfy cyber risk concerns.
Speaking at the Harvard Institute for Applied Computational Science in March 2017, Martin Chavez, chief financial officer at Goldman Sachs, said the bank assumes “all computers are hostile” and has adopted a policy and subsequent safeguards to match that view when working with providers of cloud services. This has included working with providers such as Amazon Web Services to develop security layers, such as encryption, to mitigate the risks of successful penetration.
“We have been migrating away from the illusion that because computers are enclosed in our data centres, they are somehow safe computers and those computers out there on the web – Amazon Web Services, Microsoft Azure or Google Cloud – are somehow dangerous computers when actually I think it is the opposite,” he said.
Chavez’s approach mirrors the prevalent expectation that all firms will be hacked and that defence is more about managing that risk than preventing it. However, regulators still approach cyber security as a barrier to attack and, as a consequence, authorities may block the use of some third-party resources – including public cloud – by banks.
The value of cloud
Cloud offers a transformational capability for financial services institutions. Private cloud elasticises a firm’s compute resources, building on infrastructure dedicated to one organisation to generate contained scalability that can support IT development and testing. Public cloud takes that to another level, with providers such as Amazon Web Services and Microsoft Azure offering virtually unlimited resources.
Use by the banking industry is a grey area at present. Outsourcing and operational risk have been transformed as a concern for authorities, since the Basel Committee for Banking Supervision (BCBS) published its ‘Outsourcing in Financial Services’ guidance in 2005. The terms ‘cloud’ and ‘cyber’ were entirely absent from that document and ‘IT security’ little more than a footnote. Since then national competent authorities (NCAs) have been actively engaging with financial services firms’ demand for guidance on cloud services. For example, in July 2016 the Monetary Authority of Singapore (MAS) updated its outsourcing framework to specifically address cloud services arrangements – which it categorises “as a form of outsourcing” noting that the responsibility and accountability for oversight services rests with the bank requiring a risk-based approach to management.
Likewise, cross-jurisdictional regulatory bodies are developing a base to support compliant cloud use. In its September 2017 ‘Guide to assessments of fintech credit institution licence applications’ the European Central Bank said that the ECB and NCAs will consider whether any cloud service provider that supports a fintech bank applying for a licence complies with legal and regulatory requirements.
The precedent for cloud regulation
This creates a precedent for authorities to act as a barrier between a provider and user. However, many jurisdictions lack clear guidance upon which to base such a decision. In July 2017, the European Banking Authority (EBA) opened a consultation on the use of cloud by banks, which found that in many cases technical requirements by member states were underdeveloped and around 50% had principle-based regulatory frameworks.
Policy will need to be developed that bridges that gap. Our expectation is that, in line with current regulatory practice, authorities are more likely to take a worst case-scenario approach and develop guidance that sets a high barrier to engagement with cloud providers, than to allow access and risk the public outcry should such an arrangement go wrong.
What would this look like?
In one scenario they require providers to meet the same standards as a financial services firm, monitored by the financial services firms themselves. This has an advantage in that the details can be set up through the service level agreement negotiations.
In the second scenario they extend existing rules to cover cloud services providers. It is safe to assume in this scenario that banks will find their cloud services providers must reach the same level of standards that they themselves adopt before they are allowed to access services.
While neither option is perfect, both can be greatly enhanced if banks work closely with their cloud services providers. Taking the example of Goldman Sachs’ encryption work with Amazon, solutions can be found that address the real risks banks face. The alternative is that public cloud stays off limits.