New Treasury Report Assesses Opportunities, Challenges Facing Financial Sector Cloud-Based Technology Adoption

In view of a recent trend towards the use of third party cloud service providers by financial market participants, particularly banking institutions, the U.S. Department of the Treasury has released a new report entitled The Financial Services Sector’s Adoption of Cloud Services. The report outlines the findings from its investigation as regards the „current state of cloud adoption in the financial sector“ and primarily summarizes key risks and challenges associated with this trend and identified during the investigation. Some of these risks are briefly described below:
(1) Lack of oversight and insufficient due diligence: Many financial institutions did not reveal adequate oversight over their third party cloud service providers. Some even didn’t know which services they were subscribing to from which third party. In this context, it shall be noted that many institutions complained about inadequate documentation of the third party provider, e.g. with respect to system architecture and security incident response measures, making it hard for them to comply with their own oversight obligations. Additionally, institutions noted the sheer amount of third party relationships as reasons for lacking adequate oversight.
(2) Lack of human and technical resources and a lack of know-how: Many institutions simply did not have an adequate number of employees overseeing third party arrangements and conducting system tests including penetration tests in this context. Additionally, a lack of know-how among staff members as regards system infrastructures and dependencies seems to be prevailing at investigated institutions. This particularly holds true for small and medium size institutions. Furthermore, and this fact was primarily noted by service providers, do a large number of institutions not have adequate tools to accommodate third party arrangements, e.g. for the encryption or communication of data.
(3) The impact of market concentration: The investigation showed that there’s only a limited number of service providers offering an adequate level of service to financial market participants, leaving this market segment highly concentrated among a few large players. Additionally, many institutions often had a large number of third party arrangements with various suppliers who themselves may or even have interdependencies. Furthermore, dependencies within groups were / are typically quite large, that is one provider is used throughout the group and / or different business entities use data from other business entities within same group furnished by one service provider.
(4) Risk of operational disruptions: Naturally, the use of third party cloud service providers increases the risk of operational disruptions at individual institutions. Depending upon the nature of the services and the scope of functions used, financial institutions are exposed to significant risks primarily pertaining to cyber security and service availability. Particularly in view of the above noted weaknesses, the risk of operational disruptions become more and more feasible.
To conclude, the USDT calls upon regulators and market players to keep these risks in mind and take adequate steps to mitigate any potential threats.