The U.S. Department of the Treasury and the Financial Services Sector Coordinating Council (FSSCC) published a suite of resources to share with financial services institutions on effective practices for their secure cloud adoption journey.
These deliverables are the result of a year-long public-private partnership of “the Financial and Banking Information Infrastructure Committee (FBIIC) and the FSSCC.”
To provide leadership support for this joint effort the U.S. Department of the Treasury established the Cloud Executive Steering Group (CESG) in May 2023 “at the direction of the Financial Stability Oversight Council (FSOC), to help close the gaps identified in Treasury’s landmark report on the Financial Services Sector’s Adoption of Cloud Services.”
The documents published are “intended to arm financial institutions of all sizes with effective practices for secure cloud adoption and operations, and to establish a continuing effort and partnership to begin to address the gaps identified in Treasury’s report,” which include:
- Establishing a common lexicon that may be used by financial institutions and regulators in discussions regarding cloud.
- Enhancing information sharing and coordination for examination of cloud service providers.
- Assessing existing authorities for cloud service provider (CSP) oversight.
- Establishing best practices for third-party risk associated with cloud service providers, outsourcing, and due diligence processes to increase transparency.
- Providing a roadmap for institutions considering comprehensive or hybrid cloud adoption strategies including an update to the Financial Sector’s Cloud Profile.
Improving transparency and monitoring of cloud services for better “security by design.”
Deputy Secretary of the Treasury, Wally Adeyemo said:
“The completion of these two efforts is the culmination of nearly two years of collaboration to further protect our financial system. The CESG is now a proven model and a new way for the financial services sector to effectively address our most significant cybersecurity challenges.”
Consumer Financial Protection Bureau Director Rohit Chopra said:
“Our financial system is essential infrastructure for the entire economy, and it is deeply reliant on a handful of powerful Big Tech cloud service providers. Our work will help protect the financial industry from outages and disruption by leveling the playing field between financial firms of all sizes and big cloud service providers.”
The CESG model represents “an unprecedented level of public-private partnership between Treasury, FBIIC, FSSCC, and cloud service providers (CSPs).”
Clear explanations for the utility and “application of the documents can be found here, on the U.S. Treasury website.”
The website also includes links to the FSSCC-led outputs “so that financial institutions can consult them at any part of their cloud services adoption journey and risk management process.”
The FSSCC led the following workstreams:
The Cloud Profile 2.0, authored collectively “by the FSSCC Cloud Profile Workstream and the Cyber Risk Institute (CRI), is intended to serve as a cloud security implementation plan for financial institutions of all sizes and functions. The Cloud Profile 2.0 is an extension of the Cybersecurity Profile created by CRI, which is a tool based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework. It provides a framework for both financial institutions and CSPs and will serve as a common tool developed to assist financial institutions in ensuring secure cloud implementation, while allowing the document to evolve as standards change over time.”
The Financial Sector Cloud Outsourcing Issues and Considerations document seeks to address challenges raised in the Treasury Cloud Report “related to transparency, resource gaps, exposure to operational incidents originating at CSPs, and contract negotiation dynamics.”
The document, authored collectively by “the FSSCC Cloud Outsourcing Issues and Considerations Workstream and the American Bankers Association (ABA) with support from the Securities Industry and Financial Markets Association (SIFMA), identifies a non-exhaustive list of key considerations for developing contractual provisions between financial institutions and CSPs to address risks, regulatory and supervisory compliance expectations when using cloud services.”
These key considerations should be used “as a voluntary reference tool by financial institutions during the contract negotiation phase of onboarding a CSP to appropriately address cybersecurity, resilience, and third party-due diligence expectations, and to enable compliance with growing financial services regulatory requirements and supervisory expectations.”