4 areas of focus for evaluating cloud-based vendors
Cloud adoption has been ramping up for the last several years, with financial institutions even migrating some core processes to the cloud and developing cloud-native apps. Post pandemic, bankers are accelerating those plans, especially as they look to further digitize the experience.
In fact, a recent survey found that almost half of bankers say that Covid encouraged them to increase spending on cloud projects. Last year, financial institutions spent $36 million on cloud projects, and it’s expected to increase from 1% to as high as 10% over the next couple of years.
An often-confusing term, many individuals believe that “the cloud” is this mysterious place where data floats and can simply appear at the press of a button. But the cloud is a real place, and it’s often many places through multiple data centers.
Simply put, the cloud is buying space on someone else’s infrastructure (or data center) to store and/or process data which you can then access via the Internet. Sometimes these computers are used exclusively by one institution, known as a private cloud. Other times, several clients use the same computers at a data center, known as a shared cloud.
The cloud can provide tremendous value, as noted by increased spending. But there are also risks that must be carefully considered.
Like any other third-party IT vendor, the cloud faces all the same risks, including cyber risk, reputation risk, and operational risk. Additionally, it’s growing popularity is gaining the attention of regulators. Regulators are looking closely to see that institutions are aware of cloud risk and taking steps to mitigate or lower risk.
Related: Download out whitepaper on assessing third parties and measuring what matters
Guarding Against Cybersecurity Threats: Assessing Third Parties (ncontracts.com)
When evaluating cloud-based vendors, financial institutions should adhere to their existing vendor management cyber guidance, paying special attention to:
Ensure the provider follows privacy laws. Specific responsibilities for data protection must be defined and communicated, often in the service level agreement of the contract.
There should be clearly defined procedures for responding to and reporting security incidents and notifying customers and regulators of any breaches.
Access to cloud data should be defined and restricted. Audit logs should be maintained to monitor and detect changes. Data should be encrypted at all times—both at rest and during transmission. When using shared clouds, an institution’s data must be segregated from other client data.
All cloud data should be housed in the United States. If a vendor won’t tell you where data is stored, find another vendor.