By Noah Kessler
After having evaluated the benefits, large financial institutions are embracing the cloud, resulting in its exponential growth in the industry. While the cloud delivers a raft of benefits, the pace of cloud adoption also has raised questions regarding the efficacy of risk management and compliance practices within CSPs. However, CSPs are well-positioned and highly experienced in practicing effective risk management. Mature and robust risk management practices and processes are embedded in every vertical and product line in leading CSPs.
Regulators, who regard CSPs as emerging technology organizations (in the same category as fintech and regtech companies), have been publishing guidance on the use of these various technology organizations and providers for nearly a decade. Until recently, however, the guidance has not been very detailed.
Ultimately, the burden of providing regulators with greater comfort regarding the use of CSPs rests with the regulated financial services industry. The challenge is to prove to the regulators that CSPs and the financial services firms that use them understand and have effective risk management.
As cloud adoption in the financial services industry has increased, regulators are becoming more knowledgeable about how firms are relying on CSPs without sacrificing the rigor required in risk management and compliance practices.
Financial regulators generally focus on risk issues related to the safety and soundness of an institution as well as protection for its customers. In their attention to those priorities, regulators increasingly recognize how CSPs are supporting the security controls of financial services organizations by enabling a complete, real-time inventory of assets and how they are protected.
Cloud technology directly addresses the security concerns of regulators and others while providing significant operating benefits. Moving data and services from a banks dedicated legacy infrastructure to a multi-tenant cloud environment, if properly configured, can provide additional layers of security for the institution and decrease its systemic risk.
CSPs are world-class experts in security and protection, with highly skilled teams dedicated to ensuring privacy and effective controls. Amid the surge in cyber-attacks in recent years, financial institutions understand the difficulty of achieving the scale of what CSPs are investing in security internally.
Through the greater processing capacity and power that CSPs deliver, financial services firms can release new cutting-edge technologies much faster. They can also save money by moving from a fixed-cost to a variable-cost basis.
Because they serve multiple customers, CSPs scale provides cost savings. CSPs use that scale to keep their systems on the cutting edge of technology, providing the latest in infrastructure and security. Financial services institutions, on the other hand, often are trapped in legacy architecture that can necessitate an inefficient use of computing power and data storage. Smaller banks, in particular, may lack the capacity to hire the highest-caliber technology resources or be able to convert to newer technologies.
Regulators have come to appreciate that the basket of risk for financial services organizations has shifted and, in many cases, diminished with the advent of CSP involvement. In particular, they note the benefits of end-to-end security and remain attentive to coordination of incident responses between CSPs and financial services institutions.
However, regulators have questions about the overall risk management approach and practices among CSPs, which tend to differ from that of financial institutions, with which regulators have a high level of familiarity.
Regulators and examiners need to consider whether the questions they ask of financial services institutions still make sense in the context of cloud-based services and whether they might have to modify some of these as their understanding expands.
A systemic relationship prevails between the banking community and CSPs. Just as with any third-party service provider, regulators recognize that if a CSP suffers a significant adverse event, a trickle-down effect could impact the banks.
CSPs robust risk management practices are evident when assessing them on operational resilience, risk controls, lines of defense, automation and innovation.
A critical component of risk management in financial services is operational resilience. Regulators have been very clear that operational resilience plans must account for firms material use of third-party providers.
Roles and responsibilities need to be delineated clearly between financial services institutions and the CSPs they usetypically referred to as a shared responsibility model. A clear contract that details the activities and obligations of each party is necessary. In the eyes of the regulators, any issue that arises ultimately is the responsibility of the financial institution.
CSPs cannot assess the criticality of a service for a financial institution. For example, a CSP wouldnt know if a workload is so significant that it underpins a banks payment system. The criticality rating must be relayed to the examiners by the financial institution.
Although every CSP with which a financial institution has a relationship is responsible for a piece of operational resilience, banks must apply that shared responsibility model to systems placed in the cloud. Additionally, interdependencies between services present potential risks. If there were an outage for one service, it might have downstream effects on others.
Resilience poses further questions. Regulators may ask how the bank deploys a resilient architecture for its workloads on the CSPs infrastructure. Regulators must understand the measures that the bank has taken to protect its resilience when parts of a CSPs infrastructure are not available.
Above all, using and relying on a CSP that provides resilient and fault-tolerant infrastructure and services does not mean that the financial institution has abdicated responsibility around resilience. Regardless of what CSP an organization is using, it is the responsibility of that organization to manage its own space within the cloud. Systems in the cloud that are not architected properly will not enjoy the benefit of the CSPs resilience advantages and could raise red flags for regulators.
Leading CSPs employ robust risk management and compliance practices comparable to those of financial institutions. They just do so with a different approach and model (bottom-up and top-down, or 360 degrees) compared to financial institutions (top-down). Regulators are far more familiar with the model employed by financial institutions.
Within CSPs, a pervading culture of ownership drives risk management. Although governance reporting flows to senior leadership, as expected by regulators in terms of oversight, service and product teams still retain a high amount of accountability.
In a belt-and-suspenders approach, executive management oversees the commonalities while each service is essentially treated as its own business unit. That independence provides the flexibility to develop processes and operations that best support the needs of each service. Although the chief information security officer puts in place security guardrails, these groups are empowered to do what makes the most sense for their products.
Typical dimensions of risk mitigation differences are illustrated in the following examples:
Architecture. CSPs anticipate failure of hardware and software by building in automated resilience; financial institutions focus on resilience through traditional disaster recovery sites, requiring human intervention.
Service delivery. CSPs conduct service requests via application programming interfaces; financial institutions conduct service requests via human workflow.
Operability. CSPs programmatic and automated operations require fewer human operators as demand increases; within financial institutions, human-intensive operations grow linearly with demand.
The shared responsibility model outlines certain aspects for which the CSP is responsible and others for which their clients are. For instance, while the CSP may provide an API for a customers access to storage devices, the CSP wont be responsible for the data the customer puts there. Its controls are intended to provide only virtual segmentation of the customers data and the physical environment networking around it, as well as to prevent attackers from accessing it through the CSPs network. It remains the role of the customer to protect access to that data through proper controls and encryption.
The three lines of defense modelmanagement/business line, risk and compliance oversight, and internal auditis an accepted framework in financial services and other industries. This model defines responsibilities for management, risk oversight and independent assurance. CSPs employ the same model:
First line. Product development teams create and manage cloud services. These teams are comparable to a banks business lines and they focus on areas like security practices, capacity and availability. Each is responsible for owning its risk activities, as well as for understanding how its function interacts with other services.
Second line. Compliance or security assurance groups, comparable to the risk or compliance function in a financial institution, are in place at CSPs. The second line governance reporting oversees the enforcement of the teams risk management at a detailed level. Second line staff in a CSP, who are typically engineers and security experts, provide continuous validation checks to ensure service teams are meeting a high bar for security and operational resilience. Other formal groups conduct penetration testing, security reviews and onboard services into different client programs.
Third line. A robust internal audit function in CSPs is comparable to the internal audit department in financial firms. Large customer audit teams operate within the CSP. To a greater extent than banks, they release dozens of assurance reports on a regular basis to provide evidence of their control posture. CSPs are also heavily audited by third parties in terms of their standards, controls and processes.
CSPs use advanced automation in their risk management and compliance practices, minimizing manual controls. That helps CSPs to provide services at scale, such as detecting and alleviating security events rapidly, redirecting traffic, or load balancing.
Automated controls generate significant benefits, including improved accuracy, a clear audit trail, centralization and harmonization among organizational silos, such as finance and risk. Thus, CSPs are able to address certain technology concerns more effectively than financial institutions, including always-patched databases, deep and comprehensive logging, one-click threat analysis, and access to multiple geographic regions for resource deployment. Financial institutions benefit from CSPs automated collection of evidence and mapping.
Automated services continuously collect and organize IT configuration and logs in a streamlined fashion, which can then be delivered to the banks risk management group.
Another great power of the cloud is automated compliance. Rather than standard on-premise practice of a manual process that an infrastructure team must configure, CSPs use code to automate compliance controls, guaranteeing consistency and comprehensiveness.
Cloud service providers are among the top innovators in the world. They continuously use leading-edge technologies to drive effective risk management. Century-old financial institutions may be slowed by a legacy organizational structure based around risk and control. CSPs, which dont have legacy debt or business incentives to keep over time, are willing to build more efficiently from scratch and remain more efficient over the long run. The CSP, armed with new ideas, can deliver its products much faster than traditional banks can.
Since the onset of the COVID-19 global pandemic, financial institutions have accelerated their use of cloud capabilities, to support remote work, customer service and higher transaction volume. Meanwhile, regulators have become more cognizant of how CSPs work and more comfortable with their risk management practices.
When it comes to risk management, one of the stark differences between a CSP and a financial institution is that a CSP has the ability to empower its employees to be innovative in terms of managing risk.
The overarching goal of the regulators remains the safety and soundness of their supervised financial institution, along with the protection of the end customer. As regulators grow increasingly familiar with the new efficiencies and culture of the cloud service provider industry, there should be increasing customization in their oversight of CSPs.
Noah Kessler, managing director at Protiviti, can be reached at noah.kessler@protiviti.com.
Go here to see the original:
- Bitcoin Halving: A History of Economics Shift & Financial Independence - Crypto Times - April 20th, 2024 [April 20th, 2024]
- Your Excuses Will Never Help You Build Wealth - DataDrivenInvestor - April 14th, 2024 [April 14th, 2024]
- Financial expert comments on Brits methods of obtaining financial freedom - IFA Magazine - April 14th, 2024 [April 14th, 2024]
- Women reveal why they chose financial security over love - Yahoo News UK - April 14th, 2024 [April 14th, 2024]
- This 48-year-old dad retired early to move to Panama with his family: 'This has been the greatest thing' - Fortune - March 29th, 2024 [March 29th, 2024]
- More than just housewives: Ministry encourages women to embrace leadership, financial independence - Sinar Daily - March 29th, 2024 [March 29th, 2024]
- Gender equality through Financial Independence (CSW68 Side Event). - Welcome to the United Nations - March 16th, 2024 [March 16th, 2024]
- Journal Club 03-15-24 - Passive Income MD - March 16th, 2024 [March 16th, 2024]
- How much money Americans need to earn to be 'financially independent' - CNBC - January 29th, 2024 [January 29th, 2024]
- What is Financial Independence, Retire Early (FIRE)? - Bankrate.com - January 29th, 2024 [January 29th, 2024]
- HUYNH: The Student Council endowment could ensure financial independence - University of Virginia The Cavalier Daily - January 29th, 2024 [January 29th, 2024]
- Crypto Sundae The Dog $SUNDAE: Your Path to Financial Independence - Medium - January 29th, 2024 [January 29th, 2024]
- Financial Independence through Crypto: Top 3 Coins That Could Transform Your Portfolio in 2024 - CryptoDaily - January 29th, 2024 [January 29th, 2024]
- Salary Success: Is $94000 the Magic Number for Financial Freedom? - Study Finds - January 29th, 2024 [January 29th, 2024]
- Early Retirement Is Just A Big Lie - Seeking Alpha - January 29th, 2024 [January 29th, 2024]
- 4 Strategies to Achieve Financial Independence in 2024 - Business Insider - January 4th, 2024 [January 4th, 2024]
- 3 Legged Stool of Retirement | investing.com - Investing.com Canada - January 4th, 2024 [January 4th, 2024]
- What is Coast FIRE? Should you pursue this instead of vanilla financial independence? | Mint - Mint - December 25th, 2023 [December 25th, 2023]
- Book Recommendations on Money, Investing, and Financial Independence - Business Insider - December 25th, 2023 [December 25th, 2023]
- How 12 years of tracking investments has been a life-changer - freefincal on YouTube - December 25th, 2023 [December 25th, 2023]
- Understanding the Path to Financial Independence in Retirement - TickerTV News - December 25th, 2023 [December 25th, 2023]
- Females On FIRE: 3 Diverse Women Share Their Journey To ... - Bankrate.com - November 30th, 2023 [November 30th, 2023]
- WA Parents Lead in Funding Adult Kids, Survey Shows - Source ONE News - November 30th, 2023 [November 30th, 2023]
- Saving, Investing, and Running Marathons: My 25-year Journey to ... - freefincal on YouTube - November 30th, 2023 [November 30th, 2023]
- The Clash Against The Magnificent Seven - Community Advocate - November 30th, 2023 [November 30th, 2023]
- What is the perfect age to retire? Here are the 5 crucial questions you need to answer now - AOL - November 30th, 2023 [November 30th, 2023]
- Italy Searches for Museum Leaders, With Nationalism in the Air - The New York Times - November 30th, 2023 [November 30th, 2023]
- In Africa, Gender Equity in Construction Shapes Tomorrow's Workforce - Autodesk Redshift - November 30th, 2023 [November 30th, 2023]
- How Lifestyle Inflation Is Keeping You In The Rat Race (Avoid To ... - New Trader U - November 30th, 2023 [November 30th, 2023]
- Small business ideas to start at university - Arizona Big Media - November 30th, 2023 [November 30th, 2023]
- Top 5 Investment Ideas for Beginners: A Comprehensive Guide - Goodreturns - November 30th, 2023 [November 30th, 2023]
- How Huawei Is Helping China Build Up Its Semiconductor ... - Bloomberg - November 30th, 2023 [November 30th, 2023]
- Patient experiences of being advised by a healthcare professional to ... - BioMed Central - November 30th, 2023 [November 30th, 2023]
- When You Should Consider Buying Even More Stocks | White Coat ... - The White Coat Investor - July 19th, 2023 [July 19th, 2023]
- Sanaipei Tande's insights on marriage, polygamy and financial ... - Nairobi News - July 19th, 2023 [July 19th, 2023]
- Real jobs for eager young people: The Heckscher Foundation ... - New York Daily News - July 19th, 2023 [July 19th, 2023]
- All about the Benjamins: Researchers decipher the secrets of ... - ND Newswire - July 19th, 2023 [July 19th, 2023]
- How To Become Rich With The Power Of Compounding - New Trader U - July 19th, 2023 [July 19th, 2023]
- Women Deliver 2023 | Together We All Lead - Procter & Gamble - July 19th, 2023 [July 19th, 2023]
- Acclaimed Temple psychologist's new book explores parenting adult ... - Temple University News - July 19th, 2023 [July 19th, 2023]
- Where Is Kate Chastain From 'Below Deck' Now? - We Got This Covered - July 19th, 2023 [July 19th, 2023]
- Programs that help NYC migrants achieve financial independence ... - New York Daily News - June 26th, 2023 [June 26th, 2023]
- ChatGPT gives 10 reasons why you should buy Bitcoin - Finbold - Finance in Bold - June 26th, 2023 [June 26th, 2023]
- Scottish independence reset undermined by confusion over SNP ... - Financial Times - June 26th, 2023 [June 26th, 2023]
- It's Never Too Late to Become a Millionaire - New Trader U - June 26th, 2023 [June 26th, 2023]
- Milford Foundation Partners With MoneyTime To Improve Financial ... - Scoop - June 26th, 2023 [June 26th, 2023]
- Bitcoin ETFs: What Are the Potential Implications for Crypto? - Captain Altcoin - June 26th, 2023 [June 26th, 2023]
- De-dollarization will be a priority talk at BRICS meeting Cryptopolitan - Cryptopolitan - June 26th, 2023 [June 26th, 2023]
- Gen Z viewers are more inclined towards 'Financial Independence Retire Early' concept: Rachana Ranade - Times of India - February 7th, 2023 [February 7th, 2023]
- FIRE Movement: What It Is And How It Works - NerdWallet - January 31st, 2023 [January 31st, 2023]
- FIRE: Financial Independence, Retire Early Forbes Advisor - January 31st, 2023 [January 31st, 2023]
- Priyanka Chopra Jonas' idea of financial independence is inspirational and how! - Zoom TV - January 27th, 2023 [January 27th, 2023]
- Independence Realty Trust, Inc.'s (NYSE:IRT) Stock Has Seen Strong Momentum: Does That Call For Deeper Study Of Its Financial Prospects? - Simply Wall... - January 27th, 2023 [January 27th, 2023]
- What Is Financial Independence? Forbes Advisor UK - January 19th, 2023 [January 19th, 2023]
- The FIRE Movement: Financial Independence; Retire Early | Britannica Money - January 19th, 2023 [January 19th, 2023]
- Home | NextAdvisor with TIME - January 6th, 2023 [January 6th, 2023]
- Why Financial Independence with Children is Challenging. - December 28th, 2022 [December 28th, 2022]
- 8 Levels Of Financial Freedom - Forbes - December 23rd, 2022 [December 23rd, 2022]
- Independence Contract Drilling, Inc. Reports Unaudited Financial ... - November 25th, 2022 [November 25th, 2022]
- How Much Money You Need to Retire Early in All 50 States - NextAdvisor - November 25th, 2022 [November 25th, 2022]
- Funding | The Official Website of The Duke & Duchess of Sussex - October 23rd, 2022 [October 23rd, 2022]
- What the Future Voices of Personal Finance All Have in Common - NextAdvisor - October 19th, 2022 [October 19th, 2022]
- How this 41-year-old went from 'living on credit cards' to retiring early with $3 million in California - CNBC - October 19th, 2022 [October 19th, 2022]
- Insights on What Really Matters to Participants - PLANADVISER - October 19th, 2022 [October 19th, 2022]
- On the road to financial independence - The News International - October 19th, 2022 [October 19th, 2022]
- Womens center announces expansion to address domestic violence throughout the region - Houston Public Media - October 19th, 2022 [October 19th, 2022]
- PSLF Waiver Application Deadline - The White Coat Investor - October 19th, 2022 [October 19th, 2022]
- Fairfax Financial and Independence Pet Group Receive All Regulatory Approvals To Complete Sale of Global Pet Insurance Operations - GlobeNewswire - October 19th, 2022 [October 19th, 2022]
- Sustainable Bitcoin Miner CleanSpark Welcomes Investors and Analysts to its Mining Campuses in Atlanta - GuruFocus.com - October 19th, 2022 [October 19th, 2022]
- Deep Well Project to host open house for new financial stability initiative - WSAV-TV - October 19th, 2022 [October 19th, 2022]
- IIM Grad Quits Job to Help Over 1000 Women in Bihar Scale Their Small Businesses - The Better India - October 19th, 2022 [October 19th, 2022]
- Harry's Memoir Will Be 'Quite Revealing' 'If We Ever See It'Jeffrey Archer - Newsweek - October 19th, 2022 [October 19th, 2022]
- Where Harold Weilbrenner and Janice Weiner stand on issues in the Senate District 45 race - Iowa City Press-Citizen - October 19th, 2022 [October 19th, 2022]
- Moliy Is Swimming Against the Tide of Mainstream Afropopand Succeeding - OkayAfrica - October 19th, 2022 [October 19th, 2022]
- From Chaos to Success: The Mike Koshatko Story - Digital Journal - October 19th, 2022 [October 19th, 2022]
- SEC Warns Auditors to Take Their Role and Independence Seriously - JD Supra - October 19th, 2022 [October 19th, 2022]
- Suze Orman Hates the FIRE Movement. Here's Why - The Motley Fool - October 13th, 2022 [October 13th, 2022]
- 59% Of Working Women Rely On Patriarchs To Take Financial Decisions - HerZindagi English - October 13th, 2022 [October 13th, 2022]
- Unprecedented collaboration launched to take on the underrepresentation of women in financial advice - Yahoo Finance - October 13th, 2022 [October 13th, 2022]
- 37-year-old millionaire reacts to couple who retired early with $2.2 million in Portugal: It's 'like cheating' - CNBC - October 13th, 2022 [October 13th, 2022]