Financial services companies have been cautious adopters of the cloud, with data security top of a list of concerns. But, the enhanced risk management capabilities offered by expert software and data management providers can convert a perceived problem into an advantage. And collaboration is the key.
The benefits of the cloud are already being experienced by companies and their customers across the world. But in banking, beset by a world of issues and still traumatised by the post-2008 implosion, adoption of cloud-based technologies has been slower. Change, though, is happening and it is likely to accelerate over time from the initial migration to the cloud of non-core services, to a broader suite of functions. Yet this migration is dependent on financial institutions’ understanding of the value that cloud providers can offer in managing security and keeping pace with complex and changing regulatory demands.
Growth in the cloud-computing sector promises to be exponential. The research firm IDC expects the cloud software market to surpass $100bn by 2018 at a compound annual growth rate of 21.3%. That’s about five times faster than classic packaged software.
And the uses of cloud services and software are also fast evolving. For example, we are seeing cloud companies use artificial intelligence to crawl data and find combinations of the likes, interests and affinities of consumers to profile clients and to tailor better services.
Behind that though, a myth persists – perhaps driven by media and fed by the complexity of cybercrime – that public and private clouds are a hacker’s dream, and that security vulnerabilities are an inevitable by-product of cloud migration. For the banking industry, any potential for security weakness within a technology immediately renders it unviable.
The cloud advantage
However, the reality is that the cloud, whether for data management, software, or other collaborative and previously labour-intensive functions, does not jeopardise security. Rather, the major cloud platform providers offer best-in-class protection, and work daily to combat threats. Indeed, many observers believe that as long as financial services firms plan cogently and work closely with cloud partners, most enterprise grade cloud computing systems can provide superior security to in-house applications.
One only needs a cursory scan of the media to conclude that banking security breaches have become more commonplace in recent months (or at least higher profile). Most of us are familiar with the so-called Shylock attacks in Britain or the compromises on Wall Street last year. The 2014 IBM Chief Information Security Officer Assessment found that almost 60% of security leaders said that the sophistication of attackers was out-stripping their defences. More than 80% had seen external threats increase recently; at the same time 86% had adopted cloud or were planning initiatives.
The attackers – or “threat agents”, in the jargon – could be industrial spies looking to sell sensitive or competitive information; hostile nations seeking sensitive information or to threaten infrastructure; “hacktivists” defending ideological views; cyberterrorists, aiming to threaten national security or societies; or simply cybercriminals, hoping to profit from illegal activity. Sometimes the groups meld; often security lapses are internal.
No let-up is expected in future, although attacks are likely to become harder to detect because of their more sophisticated and mutating nature. Indeed, it is important to highlight the difference between breaches and attacks: many observers are convinced that the biggest risk is still internal, involving rogue employees or inadequate processes at banks or service providers. Substantial secondary risk can come from upgrading to new types of hardware, notably devices, and use of less secure internet access points.
Increasingly, banks are purchasing software as a service (SaaS), which is managed and maintained by software providers, rather than installing and managing it in-house. Consequently, the responsibility for data security now rests with these external providers. While banks have often assumed that this is likely to expose vulnerabilities, the inverse is actually the case.
Security through collaboration
As the IBM Assessment found, seeking protection by trying to insulate a system’s security from outside threats is becoming less realistic in today’s world. Information security boundaries are expanding, blending and mutating, meaning security teams need to collaborate within and across industries. Whole technological ecosystems need to be secured, rather than the focus being on localised threats only.
Now more than ever, close collaboration in the banking industry is vital. Much is being done by cloud providers and industry organisations to ensure that they retain best-in-class security and standardise multiple competing frameworks. This is especially true of the Cloud Security Alliance and its Cloud Controls Matrix (CCM), which provides security principles to guide cloud vendors and to assist prospective customers in assessing security risk at cloud providers.
The CCM defines common business data security control requirements, identifies threats from the cloud, provides standardised risk management tools, and seeks to use a single terminology for security assessments.
Investment in compliance
As banks look more closely at the cloud, expert cloud service vendors and their platform partners offer assurance that security issues are being addressed, through investing heavily in experienced compliance resources with up-to-date knowledge on security requirements.
In a SaaS model, banking software is licensed on a subscription basis and centrally hosted, with the cloud experts providing continuous support and brainpower to safeguard security. Such systems can reduce the risk inevitable in legacy in-house systems and offer customers and staff consistency across products and regions. They allow more standardisation and higher availability of back-office products, so that customer-facing front-end solutions can more easily interact with each other.
With cloud system providers, the strictest compliance levels come as standard, and they offer real-time reporting mechanisms that are often superior to those run in banks.
Smaller institutions leading the way
So far, smaller and start-up financial institutions have been more prepared than their larger peers to make the leap to the cloud for data management and software, benefiting from the latest technology and lower upfront costs. This means they are also able to offer customers a larger suite of services, which are easy to upgrade, available on a range of platforms, including mobile, and potentially at lower prices.
Some, like challenger banks, are in the enviable position of creating infrastructure from a clean slate, without the constraints of negotiating burdensome legacy systems. The challenger bank model is in many cases a start-up spun off from a larger parent, for example, RBS or Lloyds. Other small banks might focus on niche (or market-specific) services such as trade finance, which rely on partners and lend themselves more readily to sharing data in the cloud.
Many tier one banks, however, are left with a dilemma that understandably invites caution. They see the inherent benefits of cloud but are unable fully to embrace them. Whether data is outsourced or not, in the case of a breach, the buck stops with the data owner, and it always will.
The potential impact of reputational and brand damage is often perceived to outweigh any possible upside of a new technology. We have already seen senior executives at the large US retailer Target paying the price for cyber infiltration. It would be no different for bank executives. In September 2014, South Korea-based Kookmin Bank’s chief executive, Lee Kun Ho, resigned after being reprimanded by the national financial watchdog following a series of missteps at his bank and parent KB Financial Group. Those missteps reportedly included changes in the bank’s computing system and leaks of client data.
In addition, there are structural impediments to overhauling massive and complex legacy back-end infrastructure. It’s far harder to embrace disruptive change when you employ tens or hundreds of thousands of resources globally in myriad sites and jurisdictions, and have complex technology departments. According to a study by NTT Communications in 2013, 71% of financial services CIOs said they would adopt cloud if their legacy IT was less complex, with 62% saying complexity was the main barrier to adopting the cloud. The figure was lower in sectors other than banks.
Still, banks that decide to migrate only in a limited sense can allow the cloud to shoulder the burden of less sensitive tasks, like maintaining old systems, patching vulnerabilities, expanding bandwidth and managing downtime to take systems offline during migrations or upgrading.
Regulatory pressures add a further level of complication. Compliance officers have to balance remaining attuned to the shifting regulatory landscape while simultaneously protecting their core business. Making best use of the cloud in this climate is a complex challenge.
While most financial regulators have yet to pass specific policies on cloud computing, there are a number of rules including data security laws that apply to the sector and restrict leeway. One of the greatest problems is the cloud’s extraterritoriality. Some data sovereignty laws require companies to store data on servers in the home market. That in turn could force cloud-computing firms to build small data centres in multiple markets, reducing savings.
Regulators like the UK’s Financial Conduct Authority demand audit rights and sometimes conduct spot checks on controls, triggering client reservations about data location and accessibility. Providers of cloud services, of course, cannot provide open access to their server farms precisely due to security concerns. In Europe, where privacy rules tend to be more stringent than in the US, the latest regulatory push will bring extra security obligations for banks and their suppliers in relation to data breaches, via the proposed General Data Protection Regulation and the proposed directive on Network and Information Security, which are still progressing through Brussels. All of this adds to the compliance burden and could trigger more investigations (and associated reputational risk).
At the same time, cloud providers are making sure they keep regulatory requirements at the heart of what they deliver. Ultimately, the requirements of the regulator and the provision of cloud services are becoming inseparable.
What’s in the clouds?
Even if progress is bumpy, change is coming, because the cost and customer benefits are ultimately so compelling. Industry analysts at Gartner have predicted that by next year, more than 60% of global banks will process the majority of their transactions in the cloud.
The trend for larger banks is to start with non-core or less sensitive activities such as mobile applications and order management systems, and then to graduate to portfolio management systems and Monte Carlo simulations that apply different variables and scenarios to model the pricing of assets or derivatives. Conducting these simulations in the cloud can allow more simulations to be done, and at a faster rate.
In 2013, the Dutch central bank gave approval to Amazon Web Services to provide cloud services for banks’ credit and risk calculations. The Dutch asset management firm Robeco Direct, which also offers retail services, recently moved its retail banking platform to the cloud. The Spanish lender Banco Popular and Boursorama, owned by Société Générale, have both turned to IBM for cloud projects.
Banks in other regions such as Africa have for some time been sending encrypted data to cloud platforms, where it interacts with mobile applications built by vendors allowing clients to authenticate transactions like online card purchases, wire transfers and ATM withdrawals via mobile devices, before integrating them with clearers like Swift. Emerging markets are powerful examples of what can be achieved when banks are not battling old legacy systems and infrastructure and are starting with a cleaner slate.
For banks and brokerages that are not ready to move their data to a public cloud, there are other options like storage in private, in-house clouds, with a degree of outside help, or via hybrid clouds, which combine public aspects for consumer data with in-house privacy for sensitive information. One interesting offshoot of this hybrid trend might be larger firms looking to develop their own brand of cloud accounting software, for example, for small business customers.
From hybrid to complete solutions
For banks, the migration to the cloud is happening, with hybrid solutions and trends like virtualisation forming important steps in the path towards full data and software transferral.
Cloud service providers and their partners have the expertise to ensure that, as banks follow that path, they retain the same level of control over privacy that they’ve always had. If financial institutions and software providers work together, the future of banking can be increasingly on-demand, and more secure than it’s ever been.
Please click here for additional commentary from Mark Gunning on the subject of Cloud Banking systems.