Banking in the Cloud: Between Rogues and Regulators, Part 2

The Emergence of the Compliant Public Cloud
by James O'Neill, April 1, 2016
Regulation
North America

Abstract

Although a few large banks are experimenting with cloud-based services, few have taken the plunge in publicly and visibly transitioning a mission-critical banking service to the cloud. The reasons most often cited for slow adoption of cloud services in banking are data security and the fear of regulatory scrutiny. Contrary to popular belief, banking regulators are non-discriminatory when it comes to how a bank provisions its IT environment.  The catch is that regulators maintain a consistently high level of expectation for the standards a bank sets for IT security.

In the second installment of Banking in the Cloud: Between Rogues and Regulators, Celent examines the evolving relationship between banking regulation and the cross-industry standards for IT security in the cloud, and goes on to identify the key takeaways for financial institutions formulating their cloud strategy. 

Part one of this series provided an in-depth review of the pertinent guidelines of the FFIEC regarding IT security and concluded that increased regulatory scrutiny from cloud services was more myth than reality. The first report also went on to demystify the security and compliance issues facing banks.

Cyberattacks against banks accounted for 6% of all attacks worldwide in 2014, but loss of personal information by banks was more than 20% of the total, second only to retail. In that context, the FFIEC’s recent guidance that IT outsourcing, including cloud-based services, can actually decrease cybersecurity risk is a watershed event.

“These developments mean that yesterday’s reasoned principles for abstaining from cloud services are becoming tomorrow’s thin excuses. Slow-moving banks will once again find themselves at a disadvantage competitively and financially,” says James O’Neill, a senior analyst with Celent’s Banking practice and author of the report.

Report highlights include:

  • A discussion of dynamics in the struggle between cyberattackers and banks.
  • Examination of the rapidly evolving compliance tools and governance mechanisms for cloud services, such as the CSA’s Cloud Control Matrix.
  • A look at the movement of the FFIEC toward cross-industry standards for building a secure cloud-based processing environment.
  • Key takeaways for banks considering the opportunities presented by cloud-based services.

Celent is a research and advisory firm dedicated to helping financial institutions formulate comprehensive business and technology strategies. Celent publishes reports identifying trends and best practices in financial services technology and conducts consulting engagements for financial institutions looking to use technology to enhance existing business processes or launch new business strategies. With a team of internationally based analysts, Celent is uniquely positioned to offer strategic advice and market insights on a global basis. Celent is a member of the Oliver Wyman Group, which is a wholly-owned operating unit of Marsh & McLennan Companies [NYSE: MMC].

Media Contacts

North America
Michele Pace
mpace@celent.com
Tel: +1 212 345 1366

Europe (London)
Chris Williams
cwilliams@celent.com
Tel: +44 (0)782 448 3336

Asia (Tokyo)
Yumi Nagaoka
ynagaoka@celent.com
Tel.: +81 3 3500 3023

Table of Contents

Executive Summary

1

 

Key Research Questions

1

Introduction

2

Dynamics of Cybersecurity

3

 

The Rogues

3

 

The Regulators

5

 

The Banks

5

The Compliant Cloud

8

 

AICPA Common Criteria

10

 

NIST Cybersecurity Framework

11

 

FFIEC Cybersecurity Assessment Tool

14

Takeaways for Financial Institutions

17

 

Regulators Support Cloud

17

 

Cloud Services Are Enterprise-Ready

18

 

Cloud Services Can Increase Data Security

18

 

Security Standards Are Converging

19

 

Traditional TSPs Are Late to the Party

19

The Path Forward

21

Leveraging Celent’s Expertise

22

 

Support for Financial Institutions

22

 

Support for Vendors

22

Related Celent Research

23

Sign in to download reports and access personalized information