X

Treasury Provides New Resources on Secure and Effective Cloud Adoption

Chuck Hollis Commentary by Chuck Hollis

The Treasury Department and the Financial Services Sector Coordinating Council ("FSSCC") provided a "suite of resources" for financial services institutions on practices for securing effective cloud adoption and operations.

The resources include:

  • The Cloud Profile 2.0. This document is intended to serve as a cloud security implementation plan for financial institutions of all sizes and functions. It is an extension of the Cybersecurity Profile created by the Cyber Risk Institute to further provide a framework for both financial institutions and cloud service providers ("CSPs").
  • The Financial Sector Cloud Outsourcing Issues and Considerations. This document seeks to address challenges raised in a Treasury Report, which identified gaps in the adoption of cloud services in the financial services sector, including issues of transparency, resource gaps, exposure to operation incidents originating at CSPs and contract negotiation dynamics. 
  • The Transparency and Monitoring for Better "Secure-by-Design." This document offers (i) a service inter-dependency and resilience model and (ii) a packaged cloud configuration model.
  • The Cloud Lexicon. This document captures "the most prominent terms used by [CSPs] and financial services sector consumers for a single, convenient repository and reference points." 
  • The Coordinated Information Sharing and Examinations Initiative. This document addresses coordination of examinations and information sharing related to CSPs. 

Treasury stated that additional information on the utility and application of the documents is on the Treasury website (see here). 

Commentary

Chuck Hollis
Chuck Hollis

Cloud adoption has expanded, and continues to expand, rapidly in all sectors.  However, many companies, especially in the financial services sector have struggled to match the commitments from the cloud service providers to the regulatory requirements imposed on those companies. This has especially been an issue for medium to small financial services companies that do not have the spend, nor the leverage, to obtain bespoke solutions and contract terms from the large cloud service providers. This gap also continues to be an issue for 4th party cloud solutions providers. However, it is hopeful that this guidance prepared by the US Department of Treasury and the Financial Services Sector Coordinating Counsel, which included input from the financial services companies as well as the cloud service providers, will help drive consistency and real solutions to the issues faced by the financial services companies, and help close the gaps between the cloud services providers, as financial services companies continue their migration to the cloud.

Email me about this

Primary Sources

  1. Treasury: Press Release: Treasury and the Financial Services Sector Coordinating Council Publish New Resources on Effective Practices for Secure Cloud Adoption
  2. Treasury: Information: Cloud Executive Steering Group
  3. Treasury: Report: The Financial Services Sector's Adoption of Cloud Services

Tags

Regulated Activities
Data Protection / Cybersecurity Technology (not Cyber)
Body of Law
Securities Law
Jurisdiction
US - Federal
Organization
Treasury / FinCEN / OFAC / CFIUS