CFTC Advisory Panel Compiles Warnings on Cloud Risks
What satisfies a service provider's auditors and regulators won't necessarily carry over to financial firms' examinations
Friday, April 12, 2019
By Ted Knutson
Cloud computing services, for all their popularity, economics and operational advantages, still require special technology and risk management attention. In other words, nothing should be assumed to be automatic.
That was the message in a report by the cybersecurity subcommittee of the Commodity Futures Trading Commission's Technology Advisory Committee (TAC), delivered at a meeting on March 27.
The report preceded an April 10 statement of official regulatory concern in a "joint advice" issued by the European Banking Authority and two other EU agencies “on the need for legislative improvements relating to ICT [information and communication technology] risk management requirements.” Among the caveats: “The presence of third‐party providers in financial services can lead to concerns about their operational resilience including the cyber vulnerabilities to which relevant entities are exposed through these providers ... A limited number of big players dominate cloud services for the financial sector and there are concerns that their interconnectedness in the financial system could be a single point of failure if one were to be subject to a serious breach.”
“Just because a service is 'in the cloud' doesn't necessarily mean it's guaranteed to provide DR [disaster recovery] and HA [high availability],” the CFTC subcommittee said. “As applicable, special efforts should be made to understand what the provider guarantees in this context.”
The group emphasized the importance of discovering and monitoring risks by noting that cloud-based infrastructure as a service (IaaS) is creating new challenges in a relationship of shared responsibility.
The subcommittee pointed out that a “cloud provider's environment, processes, and procedures will suffice for their auditors and regulators” but will not automatically transfer over to meet users' regulators' requirements.
The report is a compendium of caveats that apply across the regulated financial services sector, and not just to entities overseen by the CFTC.
Another caution: “Speed is not necessarily your friend when moving into a shared-responsibilities environment, especially with regulated apps and data. A strong foundation (infrastructure) prior to migrating services is necessary” and must include such components as data protection and encryption, service and application segmentation, intrusion detection and prevention capabilities, security information and event management (SIEM), and a vulnerability management strategy.”
“It is a good idea to analyze the data expected to flow through the cloud, specifically to ascertain adequate protections of confidential information and information barriers,” the group advised.
Regarding data protection and privacy as information migrates to the cloud: “You should understand what members of the cloud provider's team might have access to your data and what auditing capabilities you have of the access.”
In another of the TAC panels, on distributed ledger technology, Shawnna Hoffman of IBM's Cognitive Legal Practice, said that blockchain and artificial intelligence are “working together now . . . AI is making the blocks easy to search and provide predictions and insight into the data that is being tracked. It can pop up anomalies quickly on a blockchain dashboard for risk professionals.”
Those anomalies could include rogue trading activity, an example of the systems' pattern-recognition capability.
“Blockchain is one big database, just a different way building a database so documents are secure and can be time-stamped through a chain of blocks,” Hoffman explained.
She sees significant potential for blockchain in areas where intermediaries can be eliminated or streamlined, such as wire transfers, mortgages, bond sales, and digital identity. That would not be the case where there are no middlemen, such as email and sales and marketing.
Speeding Up Compliance
Charley Cooper, managing director of blockchain technology consortium R3, said, “It will be a long time before blockchain supports the speed requirement of mainstream exchanges in equities, FX and other asset classes.” But it can reengineer know-your-customer (KYC) legal and compliance checks.
“Pre-trade requirements around onboarding clients currently take days, weeks or months to fulfill” Cooper said. “An effective blockchain solution could reduce that lag to near real time.”
“Integrating blockchain will require significant effort on the part of financial firms' internal IT departments to integrate effectively,” he added in an interview subsequent to the TAC presentation.
Tara Kruse, global head of infrastructure and data, International Swaps and Derivatives Association (ISDA), contributed a presentation on CDM 2.0, the Common Domain Model designed to “standardize how derivatives are traded and managed through their lifecycle.”