As cloud technology becomes more and more widespread among financial institutions, security is a growing concern. And the COVID-19 pandemic has only spiked the amount of cyberattacks against financial institutions as employees continue to rely on cloud technology to work from home.
When it comes to security, there is some confusion around what the financial institution is responsible for and what the cloud provider is responsible for. By its nature, the cloud requires that some of the security controls be maintained by the provider.
To help clarify, cloud providers adhere to a “shared responsibility model.” The model documents a clear delineation of security responsibilities. To provide an example, below is a high-level overview of Amazon Web Services’ shared responsibility model:
AWS shared responsibility model
What financial institutions need to know
It’s critically important for financial institutions to know not only what their security responsibilities are but also what the cloud provider has access to in terms of customer information.
The Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. It is your responsibility to make sure your vendors are also adhering to the Act. Knowing what customer information they have access to is the first step in performing proper due diligence and vendor management.
With that in mind, here are three actions financial institutions should take:
1. Read through the shared responsibility model
Identify your security responsibilities. If you don’t understand the division of responsibilities for assessing and implementing appropriate controls, you take on increased risk of a data breach. The last thing you want to do is assume the cloud provider is taking care of something that actually falls under your responsibility.
Then identify what data the provider has access to. They are always going to have access to some level of data by virtue of the cloud’s nature. Determine whether you are comfortable accepting this risk and whether the provider’s security responsibilities effectively manage the risk.
2. Request a SOC 2 report from your cloud provider
Once you know what security the cloud provider is responsible for managing, you want to verify they’re actually acting on those responsibilities. By requesting a SOC 2 report, you can verify that they have the proper controls in place and that those controls are functioning properly.
3. Review the cloud provider’s financial information
If the cloud provider goes out of business, the cloud technology instantly becomes unusable. By reviewing their financial information, you can make sure the company is stable and will remain viable in the future.
Are you meeting your shared responsibility model requirements?
Wipfli’s team of cybersecurity and cloud specialists can perform an IT controls review to help you meet and even exceed regulatory requirements. We help you identify and evaluate your risks, the quality of your IT controls and how well protected your critical assets are. Learn more. And visit our cybersecurity web page to learn more about how we can help you manage, detect and respond to cyber threats.
How to review vendor SOC reports
FFIEC outlines best practices on the use of cloud computing
Vendor management reviews: You can’t do without them
Vendor risk management: Protecting your data