The US Department of the Treasury and the Financial Services Sector Coordinating Council (FSSCC) published a suite of resources to arm financial services institutions with effective practices for a secure cloud adoption and operations. The resources include a cloud lexicon, key considerations for contractual provisions between financial institutions and cloud service providers, a cloud security implementation plan, and a framework to assist in ensuring secure cloud implementation.
Additional items related to cloud-related cyber incident response coordination and cloud concentration risk are expected to be published as well, as they are completed throughout the year. The below-mentioned recent publications follow the Treasury’s report on the state of cloud adoption in the financial services sector:
The Cloud Lexicon, which is a foundational document that captures the most prominent terms used by cloud service providers and financial services sector consumers for a single repository and refence points. The development of the Cloud Lexicon was led by the Office of the Comptroller of the Currency (OCC). It will enable cloud service providers and financial services sector institutions of all sizes to speak in standardized terms when negotiating contract terms, establishing security schema, and adhering to regulatory standards.
The Financial Sector Cloud Outsourcing Issues and Considerations document seeks to address challenges raised in the Treasury’s cloud adoption report; these challenges relate to transparency, resource gaps, exposure to operational incidents originating at cloud service providers, and contract negotiation dynamics. The document, authored collectively by the FSSCC Cloud Outsourcing Issues and Considerations Workstream and the American Bankers Association (ABA), with support from the Securities Industry and Financial Markets Association (SIFMA), identifies a non-exhaustive list of key considerations for developing contractual provisions between financial institutions and cloud service providers; these considerations aim to address risks and regulatory and supervisory compliance expectations when using cloud services.
The Cloud Profile 2.0, authored collectively by the FSSCC Cloud Profile Workstream and the Cyber Risk Institute (CRI), is intended to serve as a cloud security implementation plan for financial institutions of all sizes and functions. The Cloud Profile 2.0 is an extension of the Cybersecurity Profile created by CRI, which is a tool based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The tool provides a framework to assist financial institutions in ensuring secure cloud implementation, while remaining flexible as standards evolve over time.
The Principles for Security and Resilience in Cloud Service Provider Environments are aligned to the CRI Cloud Profile version 2.0. The principles described in this document suggest methods to simplify the way financial institutions implement cloud-based workloads – that is, processes, services, products, or applications that consume cloud-based resources – in closer alignment with financial sector cybersecurity and resilience needs. These principles embody a proactive approach to safeguarding cloud workloads and simplifying security configurations for cloud service providers and financial services institutions.
Related links
LEARN MORE
Find out how we can help
Moody’s brings together data, experience, and best practice capabilities, with our specialized and agile intelligence.