Retail and commercial financial services moving to the cloud is generally considered a good thing. The cloud offers benefits that financial services providers cannot access in any other way. But moving to the cloud presents real challenges in terms of cybersecurity. A new U.S. Treasury Department report makes that very clear.
The report calls out the financial services industry and the small number of cloud service providers (CSP) that service it for not doing enough to address cybersecurity concerns. But the report did not stop there. It went on to highlight Treasury’s commitment to working with both private and public partners to improve both cybersecurity and transparency.
The Problem as Treasury Sees It
As the Treasury Department sees it, there are two fundamental issues the industry needs to address. First are the technical vulnerabilities associated with moving data and systems to the cloud. Those vulnerabilities have undeniable risks attached to them. At the very least, financial institutions risk exposing sensitive data to bad actors.
The second problem is that the sector is being serviced by a very small number of cloud providers. Treasury sees this as a problem because of the potential for a large number of financial institutions to be affected if something goes wrong with a single CSP.
It is difficult to argue that second point. Consolidation is generally favored over fragmentation in most industries. But consolidation in cybersecurity only works if cloud providers build robust networks with an excess of amount of redundancy designed to protect against cybersecurity threats and system-wide failures.
The Industry’s Obligation to Customers
Regardless of the content of the Treasury Department report, financial institutions have obvious obligations to their customers. The entire industry is obligated to make every effort to maintain the highest standards and practices of cybersecurity across the board. There is no room for compromise here. Financial records are extremely sensitive. Not maintaining the highest level of security means putting customers at significant risk. That is never acceptable.
In terms of transparency, the Treasury Department report doesn’t go to great lengths to explain things. It is not quite clear how the financial services sector could be more transparent about what they do, both in terms of cybersecurity and moving data to the cloud. Nonetheless, Treasury insists that greater transparency is needed.
The Industry Must Do Better
Take away all the political speak and jockeying for position and one thing remains crystal clear: the financial services industry must do better as it more heavily invests in the cloud. Moving data to the cloud should never be approached lightly. Securing the cloud should be a top priority. The entire cybersecurity issue should overshadow everything service providers do in relation to their cloud transitions.
As for the Treasury Department, the best way they can help is to work with other government agencies to standardize regulations on a global scale. As things currently stand, Treasury recognizes that the state of the global regulatory regime resembles a patchwork of rules and regulations that don’t work well across jurisdictions.
A new set of regulations standardizing security and transparency need to be developed. Only then will financial institutions be able to maximize cloud security regardless of where data is stored. Getting to that place will not happen overnight. It is a long term exercise that could take years to complete.
In the meantime, the financial services industry continues its march to the cloud. The march was inevitable. And now that its time has arrived, cybersecurity and transparency should be out front. At least that is what the U.S. Treasury Department seems to believe.
