Banking in the Cloud: Between Rogues and Regulators, Part 2
The Emergence of the Compliant Public Cloud
Abstract
Although a few large banks are experimenting with cloud-based services, few have taken the plunge in publicly and visibly transitioning a mission-critical banking service to the cloud. The reasons most often cited for slow adoption of cloud services in banking are data security and the fear of regulatory scrutiny. Contrary to popular belief, banking regulators are non-discriminatory when it comes to how a bank provisions its IT environment. The catch is that regulators maintain a consistently high level of expectation for the standards a bank sets for IT security.
In the second installment of Banking in the Cloud: Between Rogues and Regulators, Celent examines the evolving relationship between banking regulation and the cross-industry standards for IT security in the cloud, and goes on to identify the key takeaways for financial institutions formulating their cloud strategy.
Part one of this series provided an in-depth review of the pertinent guidelines of the FFIEC regarding IT security and concluded that increased regulatory scrutiny from cloud services was more myth than reality. The first report also went on to demystify the security and compliance issues facing banks.
Cyberattacks against banks accounted for 6% of all attacks worldwide in 2014, but loss of personal information by banks was more than 20% of the total, second only to retail. In that context, the FFIEC’s recent guidance that IT outsourcing, including cloud-based services, can actually decrease cybersecurity risk is a watershed event.
“These developments mean that yesterday’s reasoned principles for abstaining from cloud services are becoming tomorrow’s thin excuses. Slow-moving banks will once again find themselves at a disadvantage competitively and financially,” says James O’Neill, a senior analyst with Celent’s Banking practice and author of the report.
Report highlights include:
- A discussion of dynamics in the struggle between cyberattackers and banks.
- Examination of the rapidly evolving compliance tools and governance mechanisms for cloud services, such as the CSA’s Cloud Control Matrix.
- A look at the movement of the FFIEC toward cross-industry standards for building a secure cloud-based processing environment.
- Key takeaways for banks considering the opportunities presented by cloud-based services.