Receive our daily newsletter

House Financial Services Task Force Considers Regulation of Cloud Service Providers

The House Financial Services Committee Task Force on Artificial Intelligence considered proposed legislation on the regulation of cloud service providers ("CSPs"). The draft bill – the "Strengthening Cybersecurity for Financial Sector Act of 2019" - would authorize the National Credit Union Administration ("NCUA") and the Federal Housing Finance Agency ("FHFA") to oversee third-party cloud service vendors for (i) credit unions, (ii) Fannie Mae, (iii) Freddie Mac and (iv) Federal Home Loan Banks.

Background

In a memorandum prepared by HFC majority staff ("Staff"), the "cloud" was generally defined as business strategies, technologies and related architectures that "permit users to receive information, data, and files on demand from a third-party service provider though the internet." Staff noted that many analysts predict large banks will migrate most of their data to cloud platforms in the next five to ten years. Artificial intelligence ("AI") is expected to become increasingly important to cloud activity, as it will (1) streamline tasks and movement toward self-managed clouds, and (2) improve the management of data, including faster updates and indexing.

According to the Memorandum, two laws currently govern CSPs: (i) the Bank Service Company Act and (ii) the Gramm-Leach-Bliley Act ("GLBA"). Staff asserted that - aside from 2012 Federal Financial Institutions Examination Council guidance on outsourced cloud computing - regulators have provided minimal instruction on how financial institutions should engage with CSPs. The proposed legislation would make regulatory expectations current and would address the concentration of cloud services among a few large technology companies, which heightens the potential impact of a security incident. Staff stated that the proposed authority for the NCUA and FHFA would be similar to banking regulators' oversight of the third-party vendors of banks.

Testimony

New York University Associate Professor Meredith Broussard, an affiliate of the NYU Center for Data Science, supported the bill, saying that "citizens' rights and human rights must be protected online as they are offline." She advocated for (i) the "abundant oversight of CSPs, "(ii) legislation that would mandate financial regulatory compliance training for staffers of CSPs, and (iii) legislation that would make data server farms liable for data breaches.

Internet Association Cloud Policy Director and Counsel Alla Goldman Seiffert minimized concerns regarding cloud computing by emphasizing its potential to help the financial sector enhance cybersecurity and operational resilience.

McAfee, LLC Senior Vice President and Chief Technology Officer Steve Grobman urged policymakers to avoid imposing additional cybersecurity regulations and, instead, to (i) support industry-approved standards and best practices (e.g., the NIST Cybersecurity Framework) and (ii) update existing cybersecurity rules to address new technologies when necessary. Mr. Grobman stated that the biggest challenges facing financial services and cloud providers are (i) conflicting regulations, (ii) a constantly evolving technology landscape, and (iii) the increasing sophistication of cyberattacks.

Inpher CEO and Co-Founder Jordan Brandt advocated for AI and privacy protections. Dr. Brandt warned that the United States is in a "technology arms race" against other countries, such as China, that do not protect individual rights.

American Bankers Association Senior Vice President of Risk Cybersecurity Policy Paul Benda reminded the Task Force that:

  1. financial institutions are required to protect their data, regardless of where it is stored, pursuant to Title V of the GLBA;

  2. each financial institution must determine whether using the cloud is the right option based on its business model and risk analysis and mitigation strategy, as well as regulatory requirements;

  3. financial institutions, CSPs and regulators should work together to create the appropriate governing framework for cloud security; and

  4. additional clarification of the roles and responsibilities of regulators with oversight of the CSPs would be helpful to market participants.

Premium Content

Available only to Cabinet Premium subscribers.