The Federal Financial Institutions Examination Council (FFIEC) as well as the Federal Deposit Insurance Corporation (FDIC) have recently made announcements that focus on cybersecurity.
The FDIC in particular imposes more stringent requirements — called the Proposed Standards — across several categories of cybersecurity, including: cyber risk governance, cyber risk management, internal dependency management, external dependency management and incident response, cyber resilience and situational awareness.
TechDecisions spoke with Jeff Kaplan, CEO of Breakthrough Technology Group, about how these Proposed Standards might affect the financial industry and beyond:
TD: How will the newly released proposed standards impact how financial services use technology?
Data privacy and security are top concerns, and a key technology issue will be determining the best way to leverage the cloud. Whether a company is governed by industry mandates such as HIPAA (healthcare) or FINRA (banking and finance), or perhaps it has its own internal reasons to safeguard its data, a private cloud offering is the better way to go. Unlike public clouds, private cloud offerings can provide users with dedicated virtual firewalls and computing environments that are virtually — and sometimes even physically — isolated from other companies’ data.
At the consumer level, there will be another aspect of privacy and data security to consider around mobile payments. The related technologies are evolving rapidly, and as consumers become more mobile-centric, financial services institutions will need to be more careful and deliberate when mitigating services.
Data jurisdiction is another security concern for some companies. They need to know exactly where their data is being stored and specifically that it’s not crossing international borders. Few public cloud providers can make this guarantee, but private cloud providers can.
When using the cloud to support these new standards, financial institutions are advised to pay close attention to:
Data classification. How sensitive is the data that will be placed in the cloud (e.g., confidential, critical, public) and what controls should be in place to ensure it is properly protected? Does the cloud service provider encrypt or otherwise protect non-public personal information (NPPI) and other data whose disclosure could harm the institution or its customers?
Data segregation. Will the financial institution share resources with other cloud clients? For example, will the data be transmitted over the same networks, and stored or processed on servers that are also used by other clients? If so, what controls does the service provider have to ensure the integrity and confidentiality of the financial institution’s data?
Recoverability. How will the service provider respond to disasters and ensure continued service? Does the financial institution’s business continuity and disaster recovery (BCDR) plan include specific details in its service level agreement (SLA) such as recovery time objective (i.e., how long it will take to recover the bank’s data following a disaster) and recovery point objective (i.e., the maximum amount of data that may be lost following a disaster).
TD: How do public cloud environments play into these new Proposed Standards and affect financial services?
The reality with many multitenant – cloud offerings is that once a company commits to a specific platform, infrastructure and/or application, changing that decision is anything but easy. In today’s ever-evolving business environments, new regulations (like Proposed Standards) are constantly being introduced, mergers and acquisitions are an everyday reality, and customer demands are always increasing.
As such, financial institutions need to plan for change being a constant, rather than settling on a firm set of technologies based on what’s familiar. Public clouds may be very accessible and offer attractive economics, but this is not the only option, and may not provide enough flexibility, especially for financial institutions that want to be on the cutting edge for competitive advantage.
TD: How does a private cloud work differently than public cloud environments? In addition, how are private clouds as a service different than public cloud offerings?
Lets first define “the Cloud” how analysts see it, as well as the Industry. Many people have the perception that “Public Cloud” is external whereas “Private Cloud” means hosted on a customer premise, managed by a customer internal IT team. Our view is that Cloud encompasses any application hosted by a third party, typically off premise, and accessed by either the Internet or private connectivity such as MPLS. Cloud computing has evolved so much over the years that it is necessary to identify various subsegments of the market, beyond Public Cloud Providers such as Amazon and Microsoft Azure.
Managed Cloud Providers deliver the benefits of the public cloud with the security and flexibility of a private data center. In a public cloud environment, on the other hand, customized services and accommodations are limited because the public cloud provider has to be cognizant of the other tenants on its platform.
Managed Private Clouds offer virtual or physically dedicated and isolated environments for each customer and provide complete visibility – of environment. Financial institutions are best served by managed private cloud by virtue of the deployment model’s allowance for customization, security, and flexibility.
TD: Why could private clouds be a better alternative to financial services?
Banks are subject to increased scrutiny and auditing requirements, and they need to ensure these requirements can be met in a cloud environment, too. With a private cloud, specific reports and visibility and security can be built in to satisfy compliance requirements, which may not be the case in a public cloud environment. Given the volatility of today’s market, banks need the assurance of a next generation infrastructure that performs optimally, and is also agile and flexible enough to quickly pivot in response to business or regulatory changes. Also important, is the peace of mind from knowing that their data resides in a private, secure environment, and exactly where it is located.