US Treasury Assesses Adoption of Cloud Services in Financial Sector

The report sets out findings of the U.S. Treasury on the current state of cloud adoption in the financial sector, including potential benefits and challenges associated with the increasing adoption of cloud services. The report does not impose any requirements or standards applicable to regulated financial institutions and does not endorse or discourage the use of any specific provider or cloud services. The report findings shows that the adoption of public cloud services has increased rapidly over the last decade, though the models of adoption continue to vary across the financial sector. Many larger financial institutions plan to adopt a hybrid model involving the strategic use of both public and private cloud services with their own data centers, some financial institutions have significantly reduced their data center footprint by hosting applications and data in a public cloud environment. Meanwhile, smaller and mid-size institutions are also adopting public cloud services, with some operating their information technology (IT) infrastructure entirely in the cloud. Other adoption is indirect and results from an institution’s relationships with third-party providers, which have gravitated away from offering on-premises solutions in favor of cloud-based ones. The report also identifies the following six thematic challenges that may detract from the potential benefits associated with cloud services:

• Insufficient transparency to support due diligence and monitoring by financial institutions. It is essential that financial institutions fully understand risks associated with cloud services so they can build their technology architecture with appropriate protections for consumers. Treasury believes that further efforts are needed to achieve the right balance of information sharing between cloud service providers and financial institutions.
• Gaps in human capital and tools to securely deploy cloud services. The cloud service providers need to increase employee engagement experts, and to improve supportive technological tools and adoption frameworks that can help ensure that financial service firms design and maintain resilient, secure platforms for their customers.
• Exposure to potential operational incidents, including those originating at a cloud service provider. Many financial institutions have expressed concern that a cyber vulnerability or incident at one cloud service provider may potentially have a cascading impact across the broader financial sector. 
• Potential impact of market concentration in cloud service offerings on the financial sector’s resilience. The current market is concentrated around a small number of cloud service providers, which means that if an incident occurs at one cloud service provider, it could affect many financial sector clients concurrently.
• Dynamics in contract negotiations, given market concentration. The limited number of cloud service providers may give them outsized bargaining power when contracting with financial institutions. This outsized negotiating advantage could limit the ability of financial institutions, particularly smaller financial institutions, from negotiating advantageous contractual terms for cloud services.
• International landscape and regulatory fragmentation. The increased foreign regulatory scrutiny of cloud services and cloud service providers could pose benefits and risks to the resilience, security, and capabilities of cloud services at a global scale.

As a next step, the U.S. Treasury will continue to monitor and facilitate further engagement between the financial sector and cloud service providers. The U.S. Treasury plans to focus on promoting closer domestic cooperation among U.S. regulators on cloud services, conducting tabletop exercises with industry, reviewing sector-wide incident protocols in light of growing reliance on cloud services, measuring cloud service dependencies across the sector and assessing systemic concentration and related risks on a sector-wide basis, and identifying ways to foster effective risk management practices in the financial services industry. The U.S. Treasury, along with members of the Financial and Banking Information Infrastructure Committee (FBIIC), will continue to support the development of relevant standards and international policies at the G7, the Financial Stability Board, and the international financial standard-setting bodies and to explore ways to increase international collaboration and coordination on financial regulatory issues arising from cloud services.

Related Links

• Press Release
• Report (PDF)