The attractions are obvious: in todays data-saturated world, cloud computing allows large institutions to rapidly expand their IT capacity, boost efficiency and slash infrastructure costs. The downside? New security threats, amplified by stricter rules on protecting customer data, and a dependence on third-party providers for potentially vitalservices.
It is with an eye on the downside that banks have been slow in adopting cloud computing, which involves on-demand access to a shared pool of computing resources, such as servers andapplications.
Earlier this year, the European Banking Authority (EBA) set out to change this in Europe, publishing draft recommendations for firms to enable them to reap the benefits of cloud computing, while ensuring that risks are appropriately identified and managed. The second objective is to harmonise, across the European Union, supervisors expectations of banks using the cloud. The EBA tells Risk.net it plans to publish final guidance in the fourth quarter of thisyear.
Cloud enthusiasts say such measures as well as ongoing work by cloud providers to meet banks unique needs are all steps in the rightdirection.
Luke Scanlon, Pinsent Masons
There is light at the end of the tunnel, and this [EBA] consultation will help a lot, says Luke Scanlon, who advises clients at law firm Pinsent Masons on newtechnologies.
The proverbial tunnel islong.
Take cyber security. On the one hand, cloud providers such as the leader of the pack, Amazon Web Services are likely to have security processes and technology that are at least as advanced as those of their banking clients, thanks to their technical expertise and economies of scale. On the other hand, providers can pass on a banks data or system management to yet another contractor, increasing security risks present in traditionaloutsourcing.
The EUs General Data Protection Regulation, coming into force next year, will up the ante on data security. The new rules require, among other things, that bank customers are able to request that their personal data held is deleted. One practical outcome, say lawyers, is that banks will have to clarify to cloud providers exactly how they should handle and categorise data to ensure it can be easily isolated and deleted ifrequired.
Of more concern are potentially punitive fines up to 4% of annual global turnover for firms found guilty of data breaches caused by neglect. The size of the potential fines is attracting a lot of attention from both clients and cloud service providers, says Peter George, partner at law firm Baker McKenzie, and responsible for the firms annual cloud computing survey. There will be contractual disagreements over where liabilitylies.
One way to spot and mitigate such outsourcing risks is to undertake regular audits of third-party providers, as banks in most EU countries are already required to do. The EBAs consultation now closed sets out similar guidance with a specific focus on cloud suppliers, and Scanlon at Pinsent Masons welcomes what he sees as a flexible approach to a difficulttask.
Cloud computing involves distributing data across any number of physical locations. Scanlon says that, given the largest cloud providers host services for thousands of banks, regular physical audits would be inefficient, costly and would create risks for other banking clients, related to the security of theirdata.
Rahul Prabhakar, in charge of regulatory compliance for financial services in Europe, Middle East and Africa at Amazon Web Services, puts it another way: A constant stream of people walking through our premises presents securityrisks.
Peter George, Baker McKenzie
The EBA recognises these challenges in its document and endorses alternative options where an outsourcing institution does not employ its own audit resources. These options are pooled audits, performed jointly with other banking clients, and third-party certifications or audits, provided they conform to widely recognised standards and meet the needs of the outsourcingbank.
This is a really positive step, Scanlonsays.
Prabhakar also welcomes the EBAs stance on audits but says the order of preference should be reversed. The EBA and other regulators should consider clearly stating that, one, logical [de-facto] access is more appropriate than physical access and, two, that third-party reports and certifications or pooled audits are more preferable than individualaudits.
Some regulators have been more prescriptive. Canadas Office of the Superintendent of Financial Institutions insists on being able to audit banks across their functions, says Robert Paolino, the former chief risk officer for Canada at Japanese bank MUFG. This effectively requires that data is stored within the country especially data considered as sensitive under Canadas PrivacyAct.
Oversight of cloud providers is even harder if they employ subcontractors. This may keep costs low but banking clients may not have a direct relationship with the provider of significant parts of the cloud service as a result. Its been a struggle to square that circle, says Jonathan Kirsop, partner at law firm Stephenson Harwood in London.
One solution has been for cloud providers to give notice that they are appointing a subcontractor and give clients the right to terminate that particular service. This does provide theoretical control over the supply chain, saysKirsop.
The EBAs draft advice on what it calls chain outsourcing says banks dont need to pre-approve every subcontractor, and providers can simply give clients notice of any subcontractor changes rather than require each change to be approved by all clients.
The EBA also proposes that the outsourcing institution should carefully delineate which activities can be subcontracted, and that any subcontractors fully comply with the obligations placed on the original cloud provider. The outsourcing agreement should also require the cloud provider to notify any changes to subcontracting arrangements in time for its clients to carry out a riskassessment.
A strategy for severing the relationship with a provider is another hurdle banks have to clear before cloud computing can properly take off in theindustry.
How do you extricate yourself from a cloud computing contract when youre dependent on the provider? asks George at BakerMcKenzie.
Guidance on outsourcing to the cloud released by the UKs Financial Conduct Authority (FCA) last year suggests that banks should ensure exit plans are documented, understood by appropriate staff and fully tested. It says banks should monitor concentration risk and consider how they would respond if a service provider were tofail.
Peter George, BakerMcKenzie
However, the details remain largely untested. No bank has ever exited from a significant public cloud technology arrangement, the BBA, a UK banking trade body, and Pinsent Masons wrote in a January discussion paper. The report focuses on the cloud model that is available to the general public, with Amazon Web Services the best-knownexample.
As a result, frictions arise as to the contractual terms between banks and cloud service providers and other third parties leveraging public cloud. There is added pressure as parties do not have the benefit of experience to call upon, the paper continues. The BBA is therefore calling on the FCA to work with the banking industry to produce a due diligence checklist for banks migrating from cloudcontracts.
The draft EBA guidance also acknowledges concentration risk inherent in cloud computing, not only from the point of view of individual institution but also at industry level where large suppliers of cloud services can become a single point of failure when many institutions rely onthem.
Among other recommendations, the EBA advises banks to develop key risk indicators to spot deterioration in the cloud service to unacceptable levels, and to prepare alternative solutions and plans for transitioning to them from the out-of-favour cloudprovider.
Not only will a smooth transition to another provider ensure the banks services are unaffected, but it will also spare the bank reputational damage from a failure by a thirdparty.
Neither the EBA nor the FCA guidance contains tips on negotiating contracts with cloud providers, which comes with its own unique challenges.
In traditional bespoke outsourcing, financial services clients tend to have a lot of bargaining power and are able to use their own master services agreements, says Kirsop at Stephenson Harwood. With a cloud service, its a one-to-many solution. Suppliers cant have lots of different terms or policies for different clients. Clients have to get comfortable with standard terms, with limited ability to negotiate around them. Thats the fundamentaldifference.
Finally, as with most banking activities in the post-financial crisis era, regulation can be a key determinant of the spread of innovativepractices.
The EBA wrote in its draft guidance that uncertainty among banks about how supervisors expect them to handle cloud computing poses a barrier to its adoption.
In Indonesia, banks are blocked outright from migrating to the cloud due to their regulators requirement that all critical services be hosted within the countrys borders. For banks, who could they find in Indonesia that could host those services? The big [cloud] providers dont want to set up data centres in Indonesia; its not viable for them right now, says Manish Chawda, partner at Singapore consulting firm Pragma, which specialises in cyber and technologyrisks.
Differences in rules between jurisdictions present another headache for banks.
Jonathan Scott-Lee, Standard Chartered
Standard Chartered, for example, has operations in 68 emerging markets. As the bank is ramping up its use of cloud computing, the answer is not as might be assumed to take a highest common denominator approach, says Jonathan Scott-Lee, the Singapore-based global head of compliance, data, technology, operations and outsourcing at StandardChartered.
For a start, a gold-plated cloud strategy would eliminate most if not all of the cost efficiencies of the cloud. Second, even the highest specifications can fall foul of some regulatory environments: China, for example, mandates specific regulatory standards on the commercial use ofencryption.
I advise our digital teams to develop technology as globally as possible but that is flexible enough to allow software to be deployed in local environments, Scott-Lee says. For example, a cloud-based system could be linked to a locally housed database for client information for jurisdictions where the regulator requires data on clients to be heldlocally.
However, the trend is now towards ironing out regulatory differences around cloud computing, as illustrated by the EBAinitiative.
Jeroen Prins, a London-based financial services technology risk expert at PwC, sums up: For key jurisdictions we believe that similar principles apply and it is now feasible for the larger banks to adopt cloud servicesglobally.
Continue reading here:
Heads in the cloud: banks inch closer to cloud take-up - Risk.net (subscription)
- Why Kubernetes Is the Future of Cloud Computing - Barron's - December 6th, 2019
- We Need to Talk About Cloud Sprawl - Computer Business Review - December 6th, 2019
- Cloud computing IaaS in Life Science Market Research, Growth Opportunities, Analysis and Forecasts to 2026 - Statsflash - December 6th, 2019
- The New Paradoxes of the Cloud Computing World - Forbes - December 5th, 2019
- Andy Jassy's 12 Boldest Remarks On The Future Of Cloud Computing - CRN: The Biggest Tech News For Partners And The IT Channel - December 5th, 2019
- How cloud computing can help your small business thrive - http://smallbusiness.co.uk - December 5th, 2019
- The importance of Cloud Computing for the Utility Industry - Doxee - December 5th, 2019
- Animal Logic promotes cloud computing as democratizing the future of animation - Mash Viral - December 5th, 2019
- Cloud Computing in Education Market: Competitive Landscape and Recent Industry Development Analysis 2017 - 2025 - Weekly Spy - December 5th, 2019
- Breaking Down Amazon's Storage-Related AWS News Announcements - ITPro Today - December 5th, 2019
- Why cloud computing is requiring us to rethink resiliency at the Edge - IT PRO - December 5th, 2019
- Cloud Computing Market Poised for Steady Growth in the Future 2019 - 2028 - Weekly Spy - December 5th, 2019
- AWS and Verizon partner on 5G edge cloud computing - Data Economy - December 5th, 2019
- Cloud now the destination for finance, says survey - www.computing.co.uk - December 5th, 2019
- How The Parts Add Up: The First Trust Cloud Computing ETF Headed For $68 - Forbes - December 2nd, 2019
- What's Happening at the Cloud Insight Jam on December 19th? - Solutions Review - December 2nd, 2019
- Amazon Just Joined The Race To Dominate Quantum Computing In The Cloud - Forbes - December 2nd, 2019
- Cloud Computing Market in Healthcare Research and Development Key Players, Industry Overview and Forecast Analysis - Montana Ledger - December 2nd, 2019
- Cloud-software stocks weather harsh start to December amid tech-spending concerns - MarketWatch - December 2nd, 2019
- Technology Leader of the Year: Enabling the Digital Transformation - IndustryWeek - December 2nd, 2019
- Data in the Cloud is Much More at Risk Than Enterprises May Think - CISO MAG - December 2nd, 2019
- Global Cloud Computing Market Competitive Analysis 2019 By Top Companies Strategies Till 2028 - Sound On Sound Fest - December 2nd, 2019
- Think of data as the new uranium rather than the new oil and treat it like it's toxic - Cloud Tech - December 2nd, 2019
- Is Crowd Computing the Next Big Thing? - EE Journal - December 2nd, 2019
- Cloud Computing Market revenue in Europe to exceed USD 75 Bn by 2026: Global Market Insights, Inc. - GlobeNewswire - November 30th, 2019
- IT solutions found in the cloud - AZ Big Media - November 30th, 2019
- Alibaba wants its cloud computing to help power the future - Abacus - November 30th, 2019
- McAfee notes the gap between cloud-first and cloud-only yet optimism reigns on success - Cloud Tech - November 30th, 2019
- Why glass might be the future of data storage - Financial Times - November 30th, 2019
- The best Software as a Service (SaaS) companies of the 2010s decade - TechRepublic - November 30th, 2019
- Microsoft, not Amazon, is going to win the cloud wars - IT PRO - November 30th, 2019
- Infarm plants its blend of vertical farming and cloud computing in QFC grocery stores - GeekWire - November 30th, 2019
- What to expect from AWS Re:Invent 2019 - IT PRO - November 30th, 2019
- Microsoft and AT&T expand upon partnership to deliver Azure services on 5G core - Cloud Tech - November 26th, 2019
- AI, Cloud Computing and IoT: How digitalisation is driving dramatic IT changes in healthcare - Techerati - November 26th, 2019
- The Impact of Cloud Computing on the Insurance Industry - Doxee - November 26th, 2019
- Its in the Cloud, So it Secure . . . Maybe! - Security Boulevard - November 26th, 2019
- Study shows continued cloud maturation in Nordics with manufacturing a standout - Cloud Tech - November 26th, 2019
- As Per New Report on Hybrid Cloud Computing Market Will Touch a New Level in Upcoming Years | Microsoft Corporation, Cisco Systems, and Amazon Web... - November 26th, 2019
- Infarm plants its blend of vertical farming and cloud computing in QFC grocery stores - Yahoo Tech - November 26th, 2019
- 'Guess What, There's A Cost For That': Getting Cloud & AI Right - Breaking Defense - November 26th, 2019
- AWS re:Invent 2019 - Predictions And A Wishlist - Forbes - November 26th, 2019
- Review: How NeuVector protects containers throughout their lifecycle - CSO Online - November 26th, 2019
- VMware Reports Earnings Today. Heres What to Expect. - Barron's - November 26th, 2019
- HiveIO Top 5 IT Predictions For 2020 - RTInsights - November 26th, 2019
- Adoption of Cloud-Native Architecture, Part 1: Architecture Evolution and Maturity - InfoQ.com - November 26th, 2019
- Cloud, AI, and personalisation: Key issues to consider - www.computing.co.uk - November 26th, 2019
- Global Medical Device Security Solutions Market 2020-2024 | Increasing Demand for Cloud-Based Solutions to Boost the Market Growth | Technavio -... - November 26th, 2019
- Cloud computing IaaS in Life Science Market Global Industry Demand, Scope and Strategic Outlook,Growth Analysis,Business Opportunities and Future... - November 26th, 2019
- How much cloud does an IT disaster recovery plan need? - TechTarget - November 26th, 2019
- Cyber and the cloud: Overcoming the key security challenges amid multi-cloud rise - Cloud Tech - November 24th, 2019
- Global Healthcare Cloud Computing Market 2018-2022 | Introduction of Blockchain in Cloud Computing to Boost Growth | Technavio - Business Wire - November 24th, 2019
- Alibaba Is Taking the Cloud Battle to Amazon - Investopedia - November 24th, 2019
- Video Streaming Platforms And The Benefits Of Cloud - Forbes - November 24th, 2019
- Cloud Computing Market Expected to Grow at 623.3 Billion In Revenue by 2023 - Hitz Dairies - November 24th, 2019
- Amazon reportedly restricted partners at its New York conference from mentioning competitors like Microsoft and Google - Business Insider - November 24th, 2019
- Cloud Computing Market Segmentation and Analysis by Recent Trends, Development and Growth by Regions to 2024 - Eastlake Times - November 24th, 2019
- Cloud computing | computer science | Britannica - November 20th, 2019
- What Is Cloud Computing? How Does Cloud Computing Work ... - November 20th, 2019
- Top Cloud Computing ETFs - November 20th, 2019
- Cloud Computing: Where the Jobs Are - BlackEngineer.com - November 20th, 2019
- Ask the Expert: Cloud Computing in 2020 - Datamation - November 20th, 2019
- Gartner: Cloud computing revenues to jump in coming years - The Advocate - November 20th, 2019
- Nutanix Hires Former Nexenta CEO To Build 'Hybrid Cloud Powerhouse' - CRN: The Biggest Tech News For Partners And The IT Channel - November 20th, 2019
- Across the enterprise: Tackle Industry 4.0 with edge, fog and cloud computing - CanadianManufacturing.com - November 20th, 2019
- Cloud Native Computing Foundation Announces 2019 Community Awards Winners - PRNewswire - November 20th, 2019
- ExtraHop Extends Cloud-Native Network Detection and Response with Google Cloud Platform Integration - Business Wire - November 20th, 2019
- Cloud Computing in Industrial IoT Market in-depth approaches behind the Success of Top Players like Cisco, GE, ChargePoint, Honeywell, Intel, IBM -... - November 18th, 2019
- Task force on artificial intelligence hearing: AI and the evolution of cloud computing - key testimony on the risks, challenges and opportunities -... - November 18th, 2019
- Cloud computing: SaaS, IaaS or PaaS - which is growing fastest? - ZDNet - November 17th, 2019
- How governments can use cloud computing to reduce risk and improve service delivery - Which-50 - November 17th, 2019
- Regulators begin probe into Google-Ascension cloud computing deal: WSJ - Reuters - November 17th, 2019
- Why cloud computing can get you a job 'anywhere in the world' - Siliconrepublic.com - November 17th, 2019
- Salesforce signs a big new deal with Microsoft's cloud to power one of its core products - Business Insider - November 17th, 2019
- Online Education Market in India 2018-2022 | Emergence of Cloud Computing to Boost Growth | Technavio - Business Wire - November 17th, 2019
- France and Germany outline its plan to boost European cloud computing sector - Data Economy - November 17th, 2019
- Adobe Stock: Is The Cloud Computing Leader Ready For Another Leg Up? - Investor's Business Daily - November 17th, 2019
- UPDATE 1-Regulators begin probe into Google-Ascension cloud computing deal -WSJ - Reuters - November 17th, 2019
- CEO Andy Jassy reportedly said AWS is two years ahead of Microsoft - Business Insider - November 17th, 2019
- US Healthcare Cloud Computing Market Size & Share 2019 Predictions and Analysis Report by 2027: Facts & Factors (FnF) - The World Industry... - November 17th, 2019