Cloud Adoption in Financial Institutions: Navigating the Compliance and Regulatory Requirements

I'm excited to dedicate this edition of my newsletter to the financial industry, which has been the focus of much of my professional life. Having spent 15 years working in some of the largest financial institutions (Western Union, Bank of America, as a contractor for Wells Fargo, my latest role as a Senior Technology Risk Manager at Citigroup) I have witnessed how the industry has been cautious about adopting cutting-edge technology and venturing into the latest technical trends, mainly due to the heavy regulations it faces.

In 2020 IBM commissioned a report by Celent , a research and consulting firm focused on the application of information technology in the global financial services industry, which states the following:

"Public cloud adoption has been growing steadily in many industries. Financial institution (FI) cloud adoption has been slower, though, because these firms are heavily regulated?due to the large amount of confidential financial customer information they possess. FI information security; risk and compliance; and ecosystem management, integration, and?control preferences are exceedingly high. As a result, many banking applications in the public cloud today are not mission critical or do not directly expose core systems and?databases.?However, banking industry attitudes toward the public cloud are changing. First, large financial institutions have begun exploring public cloud use cases. For example, 19 of the top 20 banks in the US have already announced public cloud initiatives. Second, fintech challenger banks and smaller financial institutions have implemented core banking platforms and other mission-critical systems in the public cloud."

Read the full report here: Public Cloud Adoption in Financial Services

The report suggests that this represents a growing opportunity for cloud providers to serve the financial services industry. Therefore, I would like to discuss the topic and provide some resources.

Advantages of a Cloud-based Infrastructure: Scalability, Flexibility, and Cost-effectiveness

• Scalability has to do with the ability to increase or decrease resources as needed. Businesses can scale up or down their computing resources based on demand, some examples could be virtual machines provisioning or deprovisioning based on demand, also storage resources can be dynamically allocated or deallocated based on the amount of data being stored, a whole lot of networking resources can be easily configured to handle changes in traffic or usage patterns. This characteristic allows the infrastructure to handle spikes in traffic or resource usage without impacting their regular business operations.
• Flexibility is another advantage of a cloud-based approach, as it enables businesses to access their data and applications from anywhere, at any time. This flexibility also allows businesses to rapidly deploy new applications and services, without the need for significant investment in infrastructure.
• Cost-effectiveness is a key benefit of a cloud-based approach, as it enables businesses to pay only for the resources they need, when they need them. Cloud providers typically offer a range of pricing models that allows businesses to choose the most cost-effective option based on their needs.

Decoding the Shared Responsibility Model

In this context, the shared responsibility model is a tool that helps to clarify the roles and responsibilities of both the cloud service provider and the customer to know how security and compliance are managed, which can help to ensure that the cloud environment is secure and compliant.

By understanding which party is responsible for which security and compliance requirements in the cloud environment, customers can identify the measures to take for the parts they are responsible for and take appropriate steps to ensure that these measures are implemented and maintained.

Strategies for achieving cloud compliance, what you need to know.

Since financial institutions are increasingly adopting cloud computing, ensuring compliance with regulatory requirements and industry standards is critical for maintaining trust and avoiding financial fines. Understanding the resources available for achieving cloud compliance is essential for managing risk and staying competitive.

Regulatory agencies play a significant role in setting and enforcing compliance standards for financial institutions.

In 2020, the OCC (Office of the Comptroller of the Currency) along with the FFIEC (Federal Financial Institutions Examination Council) members, issued a joint statement addressing the use of cloud computing services and security risk management principles in the financial services sector. The statement emphasizes the importance of sound security controls and management's understanding of the shared responsibilities between cloud service providers and their financial institution clients. The statement provides examples of risk management practices and a vast list of additional resources to represent different supervisory perspectives on effective information technology risk management practices. It is important to highlight that this statement does not contain new regulatory expectations but a guidance for financial institutions. Read the full statement here Joint Statement: Security in a Cloud Computing Environment

The Federal Reserve Board as the central banking system of the United States has made available their guidelines for effective information technology risk management. Making this information available provides clarity to financial institutions on expectations and supervisory activities. Get full access to the Information Technology Examination Process, Cybersecurity Guidelines, Business Continuity / Disaster Recovery, Operational Resilience, Rules, Regulations, and Notices in this link: Supervisory Policy and Guidance Topics: Information Technology Guidance

As for the European Union, the EBA (European Banking Authority) is the regulatory agency responsible of creating the rules for banks in Europe, so everyone plays by the same rules and customers are protected. They also make sure that bank supervisors work the same way. In 2018 they launched its guidance for the use of cloud service providers by financial institutions, read the full guide here: Final draft Recommendations on Cloud Outsourcing (EBA-Rec-2017-03), it is a very extensive document but in short, it includes a series of recommendations in materiality assessments, the duty to inform supervisors of the use of cloud outsourcing, directions on access and audit rights, the security of data and systems, location of data and data processing, contingency plans and exit strategies.

I want to include the regulatory body of Costa Rica SUGEF (Superintendencia General de Entidades Financieras) for two reasons, Costa Rica is my home country but also to make a point, every country has its own legislation and it is essential for Risk Managers and Cybersecurity professionals to consider this when working on the deployment of a cloud solution in the financial industry; the General Regulation of Information Technology Management establishes the minimum requirements for the management of information technology that supervised and regulated entities and companies of the Costa Rican financial system must abide by. You can access the legislation here Normativa Vigente.

There are also non-regulatory bodies that offer guidance and best practices for achieving compliance, such as ISO/IEC 27017 and NIST.

• ISO/IEC 27017 (International Organization for Standardization and the International Electrotechnical Commission) provides guidelines and best practices for information security management in cloud computing environments.
• NIST (National Institute of Standards and Technology) is responsible for developing and maintaining a wide range of standards, guidelines, and best practices related to technology and information security. Some of the most well-known publications from NIST include the Cybersecurity Framework, the Risk Management Framework, and the Special Publication (SP) 800 series, which covers topics such as encryption, access controls, and incident response. NIST has published several publications related to cloud computing, including the Special Publication (SP) 800-146, Cloud Computing Synopsis and Recommendations as per their own abstract, this guideline describes cloud computing benefits and open issues, presents an overview of major classes of cloud technology, and provides guidelines and recommendations on how organizations should consider the relative opportunities and risks of cloud computing.

On top of everything I just presented here, there are also various standards that financial institutions must comply with regardless their systems are on-prem or in the cloud, it is important to know these regulations in the context of a new implementation, some of them are the Payment Card Industry Data Security Standard (PCI DSS) to ensure the security of cardholder data, Gramm-Leach-Bliley (GLBA) a US federal law that requires institutions to protect the privacy and security of their customers' personal information, and the General Data Protection Regulation (GDPR) which is the European Union regulation that governs the collection, use, and storage of personal data of EU citizens to mention some.

Cloud computing offers many benefits for all industries, but it presents a unique set of challenges around data security and compliance. Financial institutions must take a comprehensive and strategic approach to adopting cloud computing to ensure that they can effectively manage risk and comply with regulations.

My goal is to provide a safe and welcoming space for humble knowledge sharing and growth, so please feel free to share your thoughts and experiences to help others learn more about the nuances of deploying cloud solutions in the financial industry and beyond.

What challenges have you faced when deploying cloud solutions for financial institutions, and how have you addressed them? Have you worked in other industries, and if so, how does their approach to cloud adoption compare with this? Please share your thoughts and leave your questions.

Keep learning and stay curious!

The Capi.

#CybersecurityMatters #CloudSecurity #RiskManagement101 #ComplianceMadeEasy #FinancialRegulations #SecureCloudComputing #RiskAssessmentTools #ComplianceCulture #RegulatoryCompliance #CyberAwareness

P.S.:

Recently, I had a conversation with Diego Alonso Sánchez Solano , who has extensive experience in the financial industry and now works in Cybersecurity. Our discussion revolved around the use of the latest technologies in other industries compared to tech companies. I highly recommend reading his inspiring testimony:

My conclusion out that conversation is that the financial industry may be slow to adopt new technology and to jump into the cloud and other edge-technologies, however cloud computing has become increasingly popular due to its scalability, flexibility, and cost-effectiveness and as a result, more and more participants from various industries are embracing it. Including the financial sector.