The U.S. Department of the Treasury released a report on the concerns with cloud services technology. The report found that financial service firms ramping up their reliance on cloud-based technologies need more visibility, staff support and cybersecurity incident response engagement from cloud service providers (CSPs). 

In assessing the current state of cloud adoption in the financial sector, the Treasury found that cloud services could help financial institutions become more resilient and secure, but that there were some significant challenges that could detract from these benefits. These include:

Insufficient transparency to support due diligence and monitoring by financial institutions. Community banks expressed concerns that they do not often receive details of incidents or outages impacting their systems. It is essential that financial institutions fully understand risks associated with cloud services so they can build their technology architecture with appropriate protections for consumers. While recognizing that CSPs provide significant information to financial institutions already, the Treasury believes that further efforts are needed to achieve the right balance of information sharing between CSPs and financial institutions. 

Gaps in human capital and tools to securely deploy cloud services. The current talent pool needed to help financial firms tailor cloud services to better serve their customers and protect their information is well below demand. CSPs need to increase employee engagement experts, and to improve supportive technological tools and adoption frameworks that can help ensure that financial service firms design and maintain resilient, secure platforms for their customers.

Exposure to potential operational incidents, including those originating at a CSP. Many financial institutions have expressed concern that a cyber vulnerability or incident at one CSP may potentially have a cascading impact across the broader financial sector. While cloud services can have potential benefits for resilience and security, financial institutions are still exposed to risks associated with technical vulnerabilities at CSPs and face practical challenges to mitigating such risks or migrating their operations to another provider.

Potential impact of market concentration in cloud service offerings on the financial sector’s resilience. The current market is concentrated around a small number of CSPs, which means that if an incident occurs at one CSP, it could affect many financial sector clients concurrently.

Dynamics in contract negotiations given market concentration. The limited number of CSPs may give CSPs outsized bargaining power when contracting with financial institutions. This outsized negotiating advantage could limit the ability of financial institutions, particularly smaller financial institutions, from negotiating advantageous contractual terms for cloud services.

International landscape and regulatory fragmentation. The patchwork of global regulatory and supervisory approaches to cloud technology can make it nearly impossible for U.S. financial institutions to adopt cloud consistently at a global scale, reducing CSP use in the market and raising costs for cloud adoption strategies, which ultimately impacts consumers. Additionally, changes in regulations abroad may subject CSPs to direct oversight by foreign financial regulators, which could create regulatory conflicts negatively impacting the quality and security of services to all CSP clients.

Read the full Treasury Cloud report.