Few contest the benefits of the cloud. But at banks, many of which are still traumatised by the post-2008 implosion, adoption has been piecemeal. Change is likely to accelerate from the initial migration of non-core services to broader functions, providing cloud service providers can provide reassurance on security and keep step with regulators.
There is no disputing that cloud growth appears exponential. The research firm IDC expects cloud software sales to surpass $100bn by 2018, growing five times faster than packaged software. And the uses of cloud services and software are fast evolving. For example, cloud companies use artificial intelligence to crawl data to profile clients and tailor services.
Still, the myth that public and private clouds are a hacker’s dream appears to have taken hold. For banks, security insecurity can become a management and reputational disaster.
A cursory scan of the media suggests that banking security breaches have become more commonplace (or at least higher profile). News reports on Monday quoted the Russian cyber security company Kaspersky Lab as saying that as many as 100 banks and other global financial institutions had been hit by an “unprecedented” cyber attack, which might trigger losses of $1bn. While details of this attack remain limited, it will no doubt trigger broad concerns in the industry about the constant threat posed by cyber criminals. The 2014 IBM Chief Information Security Officer Assessment found 60% of security leaders said attackers' sophistication was out-stripping defences; at the same time 86% had adopted cloud or were planning initiatives.
No let up is expected although the attacks will become harder to detect, and more sophisticated. But the cloud, whether for data management, software, or other collaborative functions, doesn't itself jeopardise security; all the major cloud platform providers offer best-in-class protection, and work daily to combat threats. And it is also important to highlight the difference between breaches and attacks: many observers are convinced that the biggest risk is still internal.
Traditionally, banking software has been installed and managed in-house but increasingly banks are looking to experts to help bridge physical with virtual. Experts who can manage and maintain the same software in partners' data centres, while ensuring there is no data security compromise.
Much is being done by cloud providers and organisations to ensure they promote best-in-class security and standardise frameworks. The Cloud Security Alliance and its Cloud Controls Matrix provide security principles to guide cloud vendors and assist prospective customers in assessing risk.
Meantime, cloud and Software-as-a-Service (SaaS) providers are investing heavily in compliance resources to help banks keep up with the highest in security standards. In a SaaS model, banking software is licensed on subscription and centrally hosted, with cloud experts continuously supporting and safeguarding security. This model can reduce IT risk for financial institutions and free up in house resources for more strategic projects.
With cloud providers, the strictest compliance levels are standard and offer stronger real-time reporting mechanisms than many banks have.
Clearly, smaller and start-up banks appear readier than their larger peers to leap to the cloud, benefiting from newer technology and lower costs. Some, like challenger banks, are creating infrastructure with a clean slate, avoiding the constraints of burdensome legacy systems.
Tier One banks, however, have a dilemma that invites caution. They see benefits but are unable to fully embrace them. Whether data is outsourced or not, in a breach, the buck stops with the data owner. Brand damage risk often outweighs perceived benefits: in September, Kookmin Bank’s chief executive resigned following data leaks.
There are also structural impediments to overhauling complex legacy infrastructure. It’s harder to disrupt when you employ thousands in myriad jurisdictions, and have complex technology departments.
One possible route is to start with non-core activities like mobile and order management in the cloud, and then graduate to portfolio management. In 2013, the Dutch approved AWS to provide cloud services for credit and risk calculations. Banco Popular and Boursorama have both turned to IBM for cloud projects.
One of the greatest problems is the cloud’s extraterritoriality. Regulators often demand audit rights and conduct spot checks, triggering reservations about data location and accessibility. Cloud service providers can't, of course, provide open access to server farms precisely due to security concerns. In Europe, where privacy rules tend to be very stringent, the latest regulatory push will bring extra obligations for banks and their suppliers related to data breaches. This adds to compliance burdens and could trigger more investigations.
All this can leave large banks’ compliance officers cold. They have to remain attuned to the shifting regulatory landscape even if it puts their core business at a disadvantage. While most regulators have yet to pass specific cloud policies, many rules include restrictive data security laws.
However bumpy the progress, change is definitely coming. Gartner predicted that by next year, over 60% of banks would be processing most of their transactions virtually. But embracing the cloud will remain piecemeal until large lenders are assured that they can address regulators’ concerns, retain full data control and respond to clients.