U.S. Department of Treasury Report Highlights Pitfalls of Using Cloud Platforms
February 23, 2023
Treasury Sets Up New Interagency Cloud Services Steering Committee
Critical Points In a Nutshell
-
What Happened: The U.S. Department of the Treasury (“Treasury”) released a report highlighting potential benefits and risks with the use of cloud in the financial industry and has set up a new interagency cloud steering committee to address these concerns.
-
Who Does This Affect: U.S. financial institutions (“Institutions”) who use cloud service providers (“CSP”).
-
How This Affects You: While the report itself does not impose any new requirements on financial institutions, regulators may use the report’s findings to adopt new cloud guidelines.
-
Actions For You to Consider: Institutions who use cloud services may consider:
Applying a risk-based approach to its cloud design and implementation strategy, considering its regulatory environment, risk tolerance level, the particular services being requested, and how its cloud services are being used and configured;
Ensuring its IT staff has specialized cloud expertise;
Incorporating cloud scenarios when creating incident response and business continuity plans;
Working with your CSP to design a resilient and user-friendly cloud solution that will decrease risk of system vulnerability and potential user misconfiguration; and
Addressing transparency, risk management, and regulatory requirements in CSP contracts.
Additional Perspectives
On February 8, 2023, the Treasury released a report (“Cloud Report”) highlighting the benefits and challenges of using cloud-based technologies in the financial industry and proposing actions to address these concerns. The Cloud Report is the result of the collaboration between the Treasury and the Financial and Banking Information Infrastructure Committee as well as input from other U.S. regulators and private sector stakeholders. The Cloud Report added a disclaimer stating that the Cloud Report does not impose any new requirements on Institutions and “neither endorses nor discourages cloud service adoption by the [financial] sector” (Cloud Report, p. 62).
The Cloud Report identified six challenges for Institutions using cloud-based services, which are highlighted in the below table.
Challenge |
Select Highlights from the Cloud Report |
Insufficient Transparency to Support Due Diligence and Monitoring by Institutions (Cloud Report, pp. 49-50) |
|
Gaps in Human Capital and Tools to Securely Deploy Cloud Services (Cloud Report, pp. 50-53) |
|
Exposure to Potential Operational Incidents, Including Those Originating at a Cloud Service Provider (Cloud Report, pp. 53-57)
|
|
Potential Impact of Market Concentration in Cloud Service Offerings on the Sector’s Resilience (Cloud Report, pp. 57-59)
|
|
Dynamics in Contract Negotiations Given Market Concentration (Cloud Report, pp. 59-60) |
|
International Landscape and Regulatory Fragmentation (Cloud Report, pp. 60-61) |
|
Proposed Next Steps by the Treasury
The Treasury has stated in the report that it will engage with other U.S. and foreign financial regulators, cloud service providers and the financial sector to address the above challenges. The Treasury has identified the following actions to support its cloud strategy:
-
Establish an interagency Cloud Services Steering Group to coordinate on cloud issues;
-
Conduct tabletop exercises that will involve cloud service providers and Institution stakeholders;
-
Develop approaches to increase coordination, collaboration, and information sharing with other agencies and Institutions regarding potential cloud risks;
-
Create industry wide definitions and terms;
-
Measure the concentration of “critical uses of cloud services” across the industry;
-
Review incident response processes to improve communication among regulators, CSPs, and Institutions;
-
Develop enhanced regulatory guidance on cloud risk management practices;
-
Collaborate with foreign regulators on developing international “standards, principles and guidance” and improving bilateral relationships and communications with such foreign regulators; and
-
Foster consensus on “cloud security controls, risk management practices and contractual requirements”.
How We Can Help?
Click here for a downloadable PDF of the Legal Update.
This Cybersecurity, Data Protection & Privacy Alert is intended to keep readers current on developments in the law and is not intended to be legal advice. If you have any questions, please contact Elizabeth Wilson at 215.851.8497 or ewilson@eckertseamans.com, or Matthew Meade at 412.566.6983 or mmeade@eckertseamans.com, or any other attorney in our Cybersecurity, Data Protection & Privacy Practice Groups, or any other attorney at Eckert Seamans with whom you have been working for further information and assistance.