Many risks lurk for banks in the cloud: Treasury report

Banks and their tech providers are running into problems as they navigate an industry-wide shift to cloud computing, the U.S. Treasury Department found.

In a report published Wednesday, the government cited a lack of transparency among cloud service providers, which hampers banks' ability to monitor their vendors; a shortage of cloud computing expertise at community banks; and concentration risk from a small number of providers serving a large number of financial institutions.

"While cloud services can increase access and reliability for local communities as well as empower community banks to compete with financial technology firms, the report found that financial service firms ramping up their reliance on cloud-based technologies need more visibility, staff support and cybersecurity incident response engagement from cloud service providers," the Treasury said in its announcement of the report. 

Some observers agreed with the government's findings.

"My read of the announcement is that Treasury rightly realizes that most small to mid-sized financial institutions are in the midst of the largest technology uplift in most of their histories," said Sultan Meghji, a professor at Duke University and former chief innovation officer at the FDIC. "Treasury also knows that most banks are moving to the cloud, and need to radically upgrade their people and processes at the same time in order to reduce the risk to their organizations."

U.S. banks have ramped up their use of cloud computing, using software or infrastructure hosted by cloud service providers like Microsoft, Google or Amazon.

Cloud computing was a top-five 2023 spending priority for more than 40% of U.S. bank executives who responded to an Arizent/American Banker survey released in December. Eighty percent of respondents said they expect to have at least 20% of their computing in the cloud in 2023. 

Momentum has been building since early 2021, when Capital One completed the migration of computing from its data centers to Amazon Web Services.

That fall, JPMorgan Chase announced it would use a cloud-based core banking system from Thought Machine for its retail bank and Wells Fargo said it would migrate many applications to Microsoft Azure and Google Cloud. KeyBank in Cleveland announced in February 2022 it would put primary applications on Google Cloud in a project expected to end in 2025. That same month, U.S. Bank in Minneapolis said it plans to move most applications to Microsoft Azure over the next three years. 

But, as this Treasury report confirms, some of the reservations bankers have always had about cloud computing — for instance, that it could open up their vital customer data to new cybersecurity threats — have merit.

"Many financial institutions have expressed concern that a cyber vulnerability or incident at one cloud service provider may potentially have a cascading impact across the broader financial sector," the report said. 

The Treasury also said there's a lack of transparency among the cloud providers that serve small banks when it comes to cybersecurity attacks or operational outages.

"Community banks expressed concerns that they do not often receive details of incidents or outages impacting their systems," the agency stated. Some cloud service providers are better at this than others, but more effort is needed across the board, the report said.

Further, banks and their cloud providers lack the human capital and tools to securely deploy cloud services, the Treasury report said. 

"The current talent pool needed to help financial firms tailor cloud services to better serve their customers and protect their information is well below demand," the Treasury said. "Cloud service providers need to increase employee engagement experts, and to improve supportive technological tools and adoption frameworks that can help ensure that financial service firms design and maintain resilient, secure platforms for their customers."

Market concentration is another risk. Only a few companies sell cloud services to banks.

"If an incident occurs at one, it could affect many financial sector clients concurrently," the Treasury said in its report. 

The Treasury is also worried that banks don't have enough negotiation power in their dealings with cloud computing providers, given the small number of vendors. 

And the agency is concerned that each country has its own rules for cloud computing, which could create regulatory conflicts.

"I think most of the organizations that are the target of Treasury's comments aren't doing a lot of the things that are being recommended," Meghji said. "Of the six recommendations, I can't think of a single bank in the small to midsize range that I'd rank eight out of ten across all of them," Meghji said. "Human capital is probably one of the worst areas, and it directly leads to many of the operational issues, like vulnerability to ransomware, that come from that. Small and midsize banks are especially vulnerable to the contract negotiation issues."

These cloud computing challenges are an example of how hard it can be to balance innovation against safety and soundness, noted Patrick Sells, former chief innovation officer at Quontic Bank and currently co-founder of True Digital Group, a consulting and training firm.

"Ultimately cloud computing is a powerful force for financial innovation and inclusion," he said. "Just as we came to be comfortable with the core systems and the roles they play, I deeply hope we arrive in a similar place with cloud providers."

For reprint and licensing requests for this article, click here.
Cloud computing Technology
MORE FROM AMERICAN BANKER