Treasury looks to help the financial sector move to the cloud
Among the potential risks: market concentration among cloud service providers.
The Treasury Department wants to help financial institutions move to the cloud.
The department released new resources for cloud adoption, in collaboration with Financial Services Sector Coordinating Council, an industry-led nonprofit. The report is the outcome of more than a year of partnership between the council and the Financial and Banking Information Infrastructure Committee.
“One of the things that we are increasingly concerned about is that cyber actors — be they criminals who are looking to make money or state actors — are seeking to target our financial system and, often, third party service providers to the system,” Wally Adeyemo, deputy treasury secretary, said Wednesday.
Resources include a cloud security implementation plan for financial institutions and key considerations for contractual provisions between financial institutions and cloud service providers.
The new resources follow a report released by the Treasury in February on the state of cloud adoption in the financial services sector, which resulted in a new cloud executive steering group. The Treasury Department is the government’s designated sector risk management agency for the financial services sector.
Among the challenges detailed in the report are a lack of transparency about cloud service providers to support monitoring by the financial institutions using them; difficulties around contract negotiations, especially for smaller institutions, and market concentration.
“The cloud really is dominated now by a few major service providers connected to well-known big tech companies, so one of the things we have put a lot of thought into is what happens when something goes wrong,” said Rohit Chopra, director of the Consumer Financial Protection Bureau, which led an effort to address the coordination of information sharing related to cloud service providers and enhanced coordination between agencies to monitor risks.
Adeyemo also pointed to the impact of a few, dominant cloud service providers.
“We do need to think through how we address the risk that's created by very few players in this industry that have a great deal of power,” he said.
The Federal Trade Commission has also been digging into the issue of competition and security risks regarding cloud providers already.
The FTC issued a request for information last year that surfaced concerns about the software licensing practices for cloud providers and the potential for a single point of failure on behalf of a cloud provider having a “cascading impact” on the economy.
"Just imagine what will happen to families and businesses in this economy if they cannot make payments, they cannot withdraw money or they cannot do what they need to do in their daily lives,” said Chopra. “We need to make sure that our cloud infrastructure is resilient, that it is always working and that an outage does not create a massive financial crisis.”
Chopra said that there is more to “figure out” in the space, asking “Do we need to be enhancing some of the regulations that cover these big cloud service providers?”
Another question he pointed to is the lack of bargaining power, especially among smaller financial institutions looking to work with cloud providers.
“We’re going to need to address that with industry,” he said.
For now, additional items on cyber incident response coordination and cloud concentration risk are forthcoming, according to the Treasury. The cloud steering group will also be reconvening public and private partners around artificial intelligence, which the department has also released a report on already.