EY: How to Build Trust When Adopting a «Cloud-First» Agenda

Financial institutions have been waiting to solve security and compliance issues before moving mission-critical applications to the cloud. Research indicates that they are increasingly adopting a «cloud-first» strategy to keep pace with the evolving digital ecosystem.

Although financial institutions are regularly putting their sandbox testing facilities or support functions, such as email, in the public cloud, the same cannot be said for their mission-critical applications.

A vast majority of clients are hesitating to make this move because of security concerns and compliance requirements.

EY Folder 509Sooner or later, this will have to change, Jeremy Pizzala, EY Global Financial Services, Cyber Leader and Hong Kong FSO Advisory Leader, says. «Cloud technology will be key for financial institutions to improve agility, reduce costs, boost speed to market and reconnect with their customers. To capitalize on these benefits, institutions must find a way to navigate a path through cloud security issues,» he adds.

Addressing Key Security Concerns

With customer trust and confidence critical to the success of new, cloud-based services, organizations must first address key security concerns such as:

  • Where is data stored and flowing to, and who has access to it?
  • Is the cloud service provider’s underlying infrastructure secure enough for the organization’s sensitive data and able to support regulatory compliance?
  • Are cloud-based security operations and monitoring integrated with on-premise controls to provide a single view?
  • How is cloud computing regulated with regard to PCI, GLBA, FFIEC, FTC, SOX, FINRA, NY-DFS, SEC-OCIE, CFTC Cyber Exam, data protection, and privacy?

How to Navigate Securely?

Companies migrating to the cloud must address the inherent cyber risks associated with a boundary-less environment with unlimited scalability. But cloud technology, while introducing risks, also brings with it, relevant security capabilities – courtesy of the cloud service provider – such as:

· Network security

· Monitoring, auditing, and logging

· Access management

On the upside, this means financial institutions can build on top of or augment their provider's capabilities, in order to meet their own security requirements. However, it also means that cybersecurity and compliance are now a shared responsibility between the cloud service provider and the cloud consumer, with the strong potential for coverage gaps.

Providing Assurance

Frequently, data loss episodes in the cloud are a direct result of the consumer’s failure to appropriately secure the cloud environment. To solve the cloud’s inherent security and regulatory issues, institutions need a business solution focused on providing assurance to both internal and external stakeholders, including regulators.

The answer lies in a combination of security, risk, privacy, and regulatory competencies. «It will come, not just from cybersecurity professionals, but from a wide range of different disciplines, including risk, regulatory and privacy professionals,» says Pizzala.