Financial institutions may find leveraging commercial cloud services can help them develop new ways to defend themselves against large-scale cyber attacks, says Stephen Scharf, New York-based chief security officer at DTCC.
As the person responsible for managing technology, cyber and other risks at the world’s largest securities depository and clearing company, Scharf is involved in numerous international standards bodies that seek to develop coordinated responses to emergencies.
Industry initiatives such as U.S.-based Sheltered Harbor help save and restore account data, helping either the government or other financial institutions lend a hand in the event an attack causes a bank to stop operating.
There are also a number of fintechs trying to come up with solutions for banking clients (see box below).
DTCC has begun to work with the World Economic Forum to help banks lay out their security expectations for fintechs they may partner with.
New business models…new security models
This is leading to new ways of thinking about security. Banks want to work with fintech partners, which usually leverage cloud vendor tech to enable flexible and scalable digital services. But fintechs lack banks’ robust I.T. and compliance cultures. They’re more vulnerable to hacks – and therefore a security risk if they are accessing a bank’s customer or other data.
And as fintechs build capabilities based on cloud computing, more banks are also looking to do the same – but for now they are mostly limiting themselves to on-premises servers.
But Scharf says there may be a point when many financial institutions will need to embrace vendor cloud services, even for sensitive things like customer data. And this could create a more secure environment, not a vulnerability, he says.
“It’s early days,” Scharf told DigFin, “but the adoption of cloud is leading to the ability to reinvent and address your historical problems.”
Cloud as your shield
He says many banks have moved support infrastructure onto vendor clouds, but not data related to regulated products. “Banks are hesitant because they can’t afford to lose control over their infrastructure,” Scharf said. “But it may prove to be a false choice.”
Of course, banks and other financial institutions can’t outsource their regulatory obligations. But Scharf says vendors could reserve hardware just for financial clients, as they already do for government clients. “It could reach a point where vendors create a ‘fincloud’,” he says, citing AWS’s “GovCloud”, an isolated cluster of servers for handling U.S. government work.
It’s not just a question of banks becoming comfortable with putting more data into a vendor environment. Vendors such as AWS, Microsoft, Google and others may also need to give financial regulators access to their infrastructure, and make their operations more visible.
Banks and regulators also sorely need more cybersecurity professionals – there is a huge lack of qualified people in the field. Bank operations and I.T. heads will also object to moving workflows to the cloud while still being required to keep up (and pay for) mainframe computers on site.
And more international standards need to be reached, so that global institutions can migrate data from, say, a customer based in a different jurisdiction to a vendor’s cloud.
The complexity of these issues mean it will take five to ten years before banks fully adopt cloud computing, Scharf predicts.
But as they do, it will create new business models.
Three industry forums for coordinating against cyber attacks:
- FS-ISAC, the Financial Services Information Sharing and Analysis Center, is the main information sharing organization for cyber and other threats; 7,000 institutions are members; founded in 1999.
- FSARC, the Financial Systemic Analysis and Resilience Center, a new body set up in 2016, is meant to mitigate systemic threats in the U.S. financial system from cyber threats.
- Sheltered Harbor Initiative, a voluntary group in the U.S. that coordinates recovery and security of data in the event of a bank’s inability to operate due to an attack. The Sheltered Harbor Specification standardizes operational and technical requirements to protect consumer account data by encrypting it and sending to an institution’s vault.