The rapid adoption of cloud technology within the financial services industry shows no signs of slowing. Businesses are embracing the cloud to reduce IT costs, increase employee productivity, and drive innovation and growth, and the average enterprise within the industry now uses more than 1,000 cloud applications.
Yet, opportunity breeds risk and, in this case, the potential for sensitive data to become compromised is ever-increasing. The issue is there still remains a lack of awareness around cloud use within the industry, both in terms of the number of services actually being utilised and best practice. Any data breach is likely to compromise sensitive information so, to protect customers and consumers, The Financial Conduct Authority (FCA) releases regular guidance. The latest,‘Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services’,helps to interpret exactly what is expected of financial services organisations in relation to the ‘Financial services and markets act 2000’. The guidance covers the full lifecycle, from the initial decision to use the cloud, right through to exit strategies.
One of the major weaknesses in today’s complex computing mix is third parties that share data without having the same level of security methodology as the primary organisation. Yet, it is the originating business that will be held responsible for any data loss suffered by the cloud application, or by anyone else along the supply chain. The guidance sets out areas for firms to consider before commencing use of any cloud service but it’s not easy to conform to them all. For example, when discussing cloud services’ supply chains, it states that businesses “should review sub-contracting arrangements”, to ensure that data is protected by the relevant measures wherever it is. However, many of these agreements are confidential meaning complete visibility isn’t always possible without strong contracts that demand this information.
In order to mitigate the risk, companies must carry out comprehensive due diligence. Everything from data centre locations and ease of access to data, to encryption capabilities and compliance with international regulations must be scrutinised. All can lead to an organisation falling short of the guidance if they don’t meet the requirements. After each application is evaluated and given a risk rating, the business will be able to create a whitelist of approved services and a blacklist of ones that should be avoided.
At the start of relationships with cloud service providers, some organisations don’t give too much thought to what happens at the end. Even after relationships cease, the business will still face the wrath of impacted parties and regulators if data is compromised. The guidance states firms should “know how it would remove data from the service provider’s systems on exit”, this involves ensuring data will be returned, migrated to another application or permanently deleted.
The FCA will judge organisations on all cloud usage, regardless of whether the IT department is completely aware of the full range of applications in use or not. It’s common for employees to use services without the knowledge of IT to help them do their jobs better. Yet, they often don’t think about the bigger picture and the risk they are introducing to the organisation. Some cloud services, for example, automatically gain ownership of data as soon as its uploaded, a big problem if workers are using them to share sensitive information with colleagues. In order to conform with the guidance, it’s imperative for businesses to be able to monitor and report on overall cloud usage. This should include the applications being utilised, the type and amount of data being uploaded and whether services are inside or outside the EU.
What is becoming apparent is, as the adoption of the cloud continues to increase and regulations become more stringent, it’s now too complex to manage without further tools.Cloud Access Security Brokers (CASBs) technology enables IT departments to view answers to many of the questions posed in the FCA guidance, monitor all cloud use across the enterprise and to measure the risk posed. Red flags are produced when unusual traffic patterns or high risk applications are identified, giving businesses time to resolve situations before they escalate and encourage employees to use approved alternatives.Furthermore, such technology empowers companies to ensure cloud services comply with the business’ own cybersecurity standards. Imagine if you lent someone your car, you’d want them to look after it in the same way you do – firms must think similarly about their data. Extra security capabilities can be added on to services too, such as enhanced logging, multiple encryption modes and external collaboration control.
Ultimately, the guidance acts as a best practice for financial services organisations as they use the cloud. Conforming completely won’t be straightforward and firms must understand that it is no longer simply the remit of IT or the compliance team. Businesses must take it upon themselves to provide the relevant training – ensuring all employees are aware of the risks of unsanctioned cloud services and how to safely use approved ones.