On February 8, 2023, the US Treasury Department released a report citing its “findings on the current state of cloud adoption in the industry, including potential benefits and challenges associated with increased adoption.” The Treasury Department acknowledged that cloud adoption is an “important component” of a financial institution’s overall technology and business strategy, but also warned the industry of the damage that a technical failure or cyberattack could do to the public as financial institutions transform themselves providers rely on a few large cloud services. The Treasury also noted that “[t]This report does not impose any new requirements or standards applicable to regulated financial institutions and is not intended to advocate or discourage the use of any particular provider or cloud service in general.”
The Treasury report focused on six issues that, if left unaddressed, could hamper the potential benefits of cloud services in the financial sector. These concerns are: (1) insufficient transparency to support due diligence and oversight by financial institutions; (2) gaps in human capital and tools to securely deliver cloud services; (3) exposure to potential operational incidents, including those originating from a cloud service provider; (4) the potential impact of market concentration in cloud service offerings; (5) contract negotiation dynamics in market concentration; and (6) the fragmented regulatory framework. To address these concerns, the Treasury Department plans to convene a panel of financial regulators to examine the cloud computing industry and recommend ways to address the potential risks.
Pillsbury’s cloud team has been advising clients on these potential risk areas in strategic cloud deals for nearly a decade, so we’ve seen these trends and challenges firsthand. In particular, we are aligned with Treasury’s point regarding the unique dynamics in contract negotiations compared to other SaaS providers, particularly in light of cloud service providers’ increasingly aggressive offloading of legal risk to customers. Examples of this strategy include:
Imposing even more aggressive limitations of liability (or even full disclaimer) when a data breach occurs in the cloud service. Require a contract language that prohibits customers from providing sensitive information (ie, personal data) for processing by certain elements of the Cloud Service. Such a requirement effectively limits the liability of the cloud service provider for the risk of a data breach. Customers’ obligation to purchase additional insurance to cover the cost of a security breach. Providing exclusive remedies for certain errors, such as B. De minimis service level credits for unavailability of the services, as opposed to customers’ rights to claim damages. Cloud service providers also routinely impose cumbersome administrative burdens on customers before they can even recover service level credits. Requiring customers to contractually commit to the security requirements of the Cloud Service Provider and if the Customer fails to comply, the Cloud Service Provider shall have no liability for any security or unavailability issues. Imposing extremely broad requirements that the customer indemnifies the cloud service provider for the customer’s use of the service.
The Treasury report shows that regulators are very interested in how financial institutions use the cloud. As cloud service providers become more aggressive in offloading certain risks onto their customers, financial institutions may face increased regulatory risk. As such, there may be a few ways customers can mitigate this risk:
leverage. Although the Treasury Department report notes that “Contracts are negotiated with [cloud service providers] difficult,” clients of financial institutions should remember that there is some leverage as a client. Despite the focus on cloud service offerings, competition among service providers is fierce. Most cloud service providers are pushing to land large cloud commitments from customers of financial institutions, even pushing contractually binding public commitments from customers to prefer one cloud environment over another.
regulatory muscle. Financial institution customers can and should use their regulatory requirements to their advantage. Most cloud service providers are sophisticated technology companies, but not necessarily experts in financial regulations. If a financial institution determines that a cloud service provider does not meet the institution’s regulatory requirements, the institution should urge the provider to comply with those requirements. Cloud service provider forms are updated regularly, and often these updates are due to financial institutions pushing back areas of the contract where the cloud service provider may not be adequate.
Negotiate, negotiate, negotiate. Financial institution customers should continue to persevere in negotiating contractual protections, including the ability to claim sufficient damages that occur in connection with security and privacy-related incidents in the cloud service. The Treasury report highlights this as a particular challenge for financial institutions, which also means that the risk of data breaches should be prioritized as one of the key negotiating terms.
Safety measures. Financial institution customers can mitigate their own data breach risk by implementing robust and law-compliant internal security measures, including meeting the requirements set by the cloud service provider and actively monitoring those security services. Security measures should include (but are not limited to) appropriate encryption requirements, access controls, testing and monitoring, incident response planning, data backup, and disaster recovery.
Audit Rights. Financial institution customers should be able to secure sufficient monitoring and auditing rights from the cloud service provider. Customers can mitigate their risk by exercising these rights – ie conducting penetration testing, requesting information via audit, and establishing a process to review all compliance materials that cloud service providers make available through their public customer portals.
Embrace the multicloud. Financial institution customers should adopt a multicloud strategy. The cost of switching cloud environments is already high enough, but when a customer dedicates to just one cloud environment, the cost of switching to a new provider becomes even steeper. A customer should avoid financial obligations or restrictions on termination rights that prevent them from switching to other providers. Additionally, if the customer can diversify their cloud workloads, this strategy mitigates the risk of a service outage or security incident.
Notwithstanding these controls, the reality remains that increasing reliance on a limited number of cloud providers could create concentrated and unavoidable risks for financial institutions. While cloud computing has become the standard for digital transformations across the market, there are undoubtedly uncharted territory and unforeseen risks. Both heightened government concerns and aggressive behavior from cloud service providers mean that financial institutions should review their contracts to better understand their risk exposures, determine whether their agreements could include more favorable protections, and assess whether additional precautions could be taken should be met. In light of the Treasury Department’s guidance, financial institutions should be aware of regulatory changes and increased efforts by cloud service providers to offload the risk associated with cloud computing in the financial sector.
[View source.]
