Banking Tech Forecast: Cloudy With a Chance of Cyber RiskCloud Adoption in Financial Services Has Soared - And So Has Security Risk
Nearly all financial services companies in the United States use some form of cloud computing, and more than half of them faced compromises last year, according to payments and cloud security experts. The infamous Capital One breach and other attacks, such as the ones on Wiseasy and AvidXchange in recent years, demonstrate the vulnerability of cloud environments.
While cloud security is a challenge across industries, organizations in the financial services sector face unique impediments due to special regulatory, data security and privacy considerations that don't apply to most industries.
Financial institutions hold large amounts of sensitive information, so they need to constantly adapt their protections and create unique computing requirements, said Linda Betz, acting CISO at the Financial Services Information Sharing and Analysis Center. They also face regulatory requirements, which require strict diligence when setting up and managing third-party services, such as cloud providers, she said.
Regulations such as the Payment Card Industry Data Security Standard, the California Consumer Privacy Act, the General Data Protection Regulation and the Sarbanes-Oxley Act necessitate security controls for data handling, implementation and monitoring capabilities. To ensure compliance and adhere to these standards, financial services organizations must be able to analyze their cloud infrastructure and configurations.
"In many ways, the sophistication of the major cloud providers regarding security means that the sector is more secure as it migrates to the cloud," Betz said.
But resilience is a key issue. The financial sector is heavily reliant on a few large cloud services providers, creating concentration risk, Betz said. "If one major provider does go down, a large proportion of the sector could be impacted," she said.
Financial services firms have adopted cloud rapidly in the past few years. Ninety-eight percent use some form of cloud computing, and 59% store or process regulated banking information within cloud services, according to the Cloud Security Alliance.
With the pandemic and subsequent move to remote working, financial institutions have grown more comfortable with cloud computing as a responsible technology that can provide greater confidence in security controls, said Troy Leach, chief strategy officer at the Cloud Security Alliance. Leach helped establish and lead the PCI Security Standards Council, which creates global standards and certification programs for the payments industry.
The breakneck pace of adoption has also resulted in a shortage of security experts who understand the overlapping yet unique needs of the two industries.
The cybersecurity sector has faced a shortage of skilled security professionals for most of its existence. Cloud solutions help mitigate this, because security can be integrated into the infrastructure and managed in a centralized place, Betz said.
"Even then, financial institutions are still expected to conduct due diligence and oversight of third parties. This ability to evaluate security in a complex environment requires a high level of skill, which will continue to be highly sought after, she said.
Hiring and retraining existing staff to meet the volume of needed workers is a challenge too, in addition to the regulatory landscape wanting to force multi-cloud infrastructure for resiliency, Leach said. This means that a financial institution may be required to support multiple cloud service providers that operate differently and have different approaches to security assets.
"The expectation is that these organizations will simply hire subject matter experts for each iteration of cloud, which defeats some of the benefits and efficiencies that cloud services offer," he said.
Financial institutions also face the unique expectation of managing financial data in addition to technology that could influence access to that data, Leach said.
"Not only is there the challenge of restricting access to financial accounts and keeping the information confidential, but there is legacy legislation that has existed for over 30 years and was established before there was any commercial concept of cloud computing and leveraging all the various type of services available today," Leach said.
Accountability Musical Chairs
Misunderstanding cloud service responsibilities is the most common security issue today, Leach said. A vast majority of reported data breaches within cloud services are associated with misconfigurations or poor understanding of who has responsibility, he said.
Accountability for third-party services must be documented and understood completely by both parties. "For example, there are so many native security controls that exist in cloud architecture. But if they are not enabled, it is like owning a sports car but only using it because you like the leather seats and never turning over the engine," Leach said.
This is especially important since cloud services are offered in many different ways.
The makeup of each offering, and whether or not security is included, depends on the chosen cloud service as well as the firm's specific needs, Betz said. Software as a service usually includes security, but infrastructure-as-a-service providers may only offer the building blocks to protect the solution, she said. In an IaaS environment, the cloud provider usually applies security, such as patching capabilities, to the base infrastructure, Betz said, but the financial institution still needs to secure the application within the cloud platform.
"The beauty of cloud services is the ability to have advanced customization. But it also makes it highly important for your security teams to have good, ongoing cloud security training to understand how best to apply the security," Leach said.
With the shared security responsibility model, financial companies must ensure that they evaluate and discuss which of the expected security requirements will be available inherently in their services, an additional service or expected of the customer to BYOS, aka bring your own security, Leach said.
The level of responsibility for each partner changes if the platform is used as an IaaS, SaaS or platform as a service, Betz said.
IaaS requires the institution to have more security responsibilities in the setup and maintenance of the cloud solution, whereas SaaS solutions require the cloud provider to have more security responsibilities. SaaS solutions also can be built on a cloud provider, which creates more complexity as there is a fourth party involved in the solution. Contracts are used to identify the split of responsibilities, she said.
"Regardless of the contractual split of security responsibilities, regulators are increasingly holding financial institutions responsible for security incidents that occur through third-party suppliers," Betz said.
Financial firms also face reputational risk related to suppliers. Customers do not know or care about the minutia of contractual responsibilities - they only care whether their money and data are safe with their institution, she said. Security, compliance and procurement leaders at financial institutions must consider their third-party risk appetite accordingly, Betz added.
Previously, companies faced natural pain points of modernizing technology to former business practices and approaches to auditing that would satisfy a traditional, on-premises environment. Documentation and the expectation that everything was going to be in a simple static state or log file was a greater challenge.
But now, when we are creating more than 100 zettabytes of new data daily - before the quick adoption of ChatGPT and other generative artificial intelligence - the natural evolution is more automation to manage the pace of data processing, which means regulatory perspective needs to transition to the assessment of the process and assuring the practice is immutable, Leach said.
Regulators hold financial institutions responsible for understanding and managing security risks, including the use of cloud services, Betz said. To mitigate risk, financial institutions should perform due diligence and conduct ongoing oversight. For example, to do in-depth risk analysis, institutions need to make sure they understand the software bills of materials of their chosen solutions, so they are able to address newly identified vulnerabilities, she said.
Going forward, new regulatory requirements will require further scrutiny of cloud service providers that previously did not have direction regulatory obligations, Leach said.
"For example, the Digital Operational Resilience Act will provide new expectations for the role of supply chain and solution providers by expecting threat-led penetration test of the cloud service provider, which qualifies under their definition of Information and Communications Technology provider," he said. The new PCI DSS v4.0 requirements include similar expectations for multitenant service providers and detail how they must be assessed for security. Both sets of requirements will go into effect in the first quarter of 2025, Leach said.