Report Cites Security Risks as Credit Unions, Banks Migrate to Cloud
A Treasury Department report questioned whether credit unions and banks were prepared to manage security issues related to cloud technology. Learn why.
Consolidation, lack of expertise highlighted by Treasury Dept. as potential issues related to technology.
Although many financial institutions are using cloud service providers, those credit unions and banks may lack the expertise to properly evaluate the technology, the Treasury Department said, in a report last week.
“It is essential that financial institutions fully understand risks associated with cloud services so they can build their technology architecture with appropriate protections for consumers,” stated the report evaluating use of those services.
And the department added, “While cloud services can increase access and reliability for local communities as well as empower community banks to compete with financial technology firms, the report found that financial service firms ramping up their reliance on cloud-based technologies need more visibility, staff support, and cybersecurity incident response engagement from Cloud Service Providers.”
The report cited the limited number of providers offering cloud services, adding that the department recommends financial regulators continue to investigate the risks associated with so few companies in the field.
It was further noted that depository institutions’ exposure to the cloud is indirect via third parties that likewise rely on cloud services.
Impact on the NCUA and Credit Unions
The report also mentioned that the FDIC, OCC and the Fed have statutory authority under the Bank Service Company Act to examine and regulate the performance of certain services provided by third-party providers. The NCUA, however, does not have that authority.
NCUA board members and some members of Congress have called on the House and Senate to enact legislation providing the agency with that power, which it temporarily had to address the risks associated with the Y2K transition. That authority has expired, with Congress yet to renew it.
Specific Concerns Raised in the Report
In the report, the department cites several issues surrounding the use of cloud services by credit unions and banks. Those issues include whether such institutions:
–Are being given sufficient information about the risks associated with certain services.
–Have adequately trained staff to understand the industry and risks associated with it.
–Understand that market concentration in cloud service offerings means that if a cyber incident occurs at one service provider, it could affect many financial sector clients concurrently.
What Comes Next?
Treasury Department officials said that in an effort to address those challenges, it will establish an interagency Cloud Services Steering Group within the next year to encourage cooperation between financial regulators. Among other things, the steering group will develop tabletop exercises for the private sector, as well as best practices for cloud frameworks and contracts.
“There is no question that providing consumers with secure and reliable financial services means greater demand for cloud-based technologies,” Deputy Secretary of the Treasury Wally Adeyemo said, as he released the report. “Treasury is committed to working with financial regulators, industry partners, and cloud service providers to drive greater collaboration and transparency. By building trust, cooperation, and collaboration at the outset, we can promote safe and effective migration for financial institutions that choose to adopt cloud services.”