Banks face task of weathering cloud computing risks

Irish banks looking to avail of the advantages presented by cloud computing also have to be aware of the risks, according to Andreas Carney, technology, media and telecommunications partner with law firm Pinsent Masons in Dublin. "We are seeing an increasing number of financial services institutions in Ireland exploring cloud-based software and data-storage solutions," he says. "They are seeking access to more cost-effective, powerful, efficient and scalable technology to keep pace with digital innovators in the market."

That trend was confirmed by the results of a recent Central Bank (CBI) survey which found that 40 per cent of regulated firms were already using cloud service providers, with two in five firms anticipating that they would undertake additional outsourcing activity over the next 12 to 18 months.

"To maximise the benefits of using cloud-based services, however, banks must address the risks," Carney adds. "Both the CBI and Ireland's Data Protection Commission [DPC] have highlighted some of the issues they must consider."

He points to the final report of the Data Protection Commissioner, whose role has now been superseded by the DPC, which said her office investigated seven technology-related data breaches involving a business’s use of cloud-based solutions between January 1st and May 24th this year.

"That period pre-dates the General Data Protection Regulation [GDPR] and new Data Protection Act which both took effect on May 25th," he notes. "Common traits identified in the breaches included poor governance and controls, and a failure by businesses to properly scope and implement appropriate security measures. The commissioner, among other things, urged businesses using cloud services not to rely on the default security settings applied by their providers."

Data-security obligations

Banks face stiff data-security obligations in their own dealings with personal data and where they outsource the processing to a supplier. “Getting data security wrong in the age of the GDPR risks multimillion-euro fines,” Carney points out. “However, there are other new security regulations that Irish banks are subject to which have been introduced without as much fanfare.”

These include the new network and information security (NIS) regulations. "Like the new data-protection rules, these new regulations stem from Europe, " he explains. "The NIS regime provides a framework for the co-ordinated prevention and response to the threat of cyber attacks and other incidents that affect networks and systems that underpin critical infrastructure and services."

The NIS rules set out security requirements for operators of “essential services,” which in Ireland includes banks and other financial institutions. They further require those bodies to report security incidents they experience which have a “significant impact” on their services.

Currently, the maximum fine that can be imposed for non-compliance under the NIS regulations in Ireland is relatively modest, at €500,000, but that could change over time, Carney warns. “In the UK, for example, businesses that are subject to the equivalent security rules can face fines of up to £17 million for non-compliance,” he adds.

Cybersecurity is only one of several regulatory issues that banks must navigate when it comes to cloud computing, however. “Banks must carry out due diligence on providers, manage risks in subcontracting arrangements, and ensure rights of audit are written into cloud contracts, among other things,” Carney points out.

“As the cloud market matures in Ireland’s financial services sector, banks also need to be aware of concentration risk,” he continues. “As the CBI said in its recent discussion paper on outsourcing, this refers to ‘the probability of loss arising from a lack of diversification’ in service providers. The CBI has recommended banks use multiple outsourcing service providers to ‘avoid being over-reliant on one provider’ and that their exposure to concentration risk must also be considered in the context of their cloud providers’ subcontracting arrangements.”

And there is still more to come. "Banks should look out for more detail early in 2019 on what is required of them when outsourcing to the cloud," Carney concludes. "This is when final guidelines on the topic are expected from the European Banking Authority. "