Banks are moving away from having direct control over their technology assets to increased reliance on managing technology through contracts.
As banks move to public cloud providers, they are recognizing that procuring cloud services may require a shift in contract negotiation and vendor management. Buying public cloud services moves software and processing environments into the realm of commodity services — providing much less room to negotiate contract terms and service level agreements.
Most bank technology organizations use traditional technology procurement practices. But with cloud, the contract is for use of pre-established commodity services. With commodities, margins are slimmer, customization doesn't occur and there is little room for negotiation. The recent FFIEC statement on external cloud computing shows that U.S. regulators are aware that banks are contracting with cloud providers, but little guidance is provided. The bottom line from the FFIEC is that financial institutions should use the same approach to cloud computing that they currently use with traditional outsourced technology. This is good as far as it goes, but there are some best practices we have compiled from our discussions with banks and providers. Following are a few points to consider and discuss with legal counsel and your procurement group.
• Security and data protection. We have to start with security as that tops every bank's list of concerns about public cloud. Unfortunately though, banks often focus in the rear view window as they review providers' security controls. Providers tell us that banks are overly focused on physical security, while paying much less attention to more common attack vectors. This is probably due to an over-reliance on leveraging the same kinds of controls the bank uses to manage its owned assets. One common question that is missed is about how the provider controls access to backup data and disaster recovery. Banks will tour primary processing locations, but will often not use the same diligence when probing the provider regarding the complete data life cycle. Providers should offer details on where back-ups are stored, how chain of custody is tracked, how data is secured in transit, and how retired assets are wiped clean after assets are re-deployed or after data retention time periods have been met. Banks must also consider the geographic locations where all data will be kept at rest or in transit, and ensure that there are no conflicts due to legal jurisdictions.
• People. In addition to making sure that data is protected, banks must also ensure that the provider has well-trained staff. Human error — whether true mistakes or those that have been coaxed along with social engineering — are among the biggest risks in any processing environment. All staff from operators to executives must be trained to be vigilant so that they can recognize attacks underway and not fall prey to rapidly evolving techniques. IDC Financial Insights has yet to find an easy way to measure this capability, as it's more about the culture of the provider than about checking off boxes with training programs. This is where bankers need to trust their guts and make sure they have confidence in the provider's ability to maintain a culture of vigilance.
• Plan for the unexpected. Just as wealthy older grooms require their younger, impoverished brides to sign pre-nuptial agreements, bankers need to plan for the worst at the start of the relationship. Part of the contract negotiation process must address termination. Banks must have explicit exit clauses that document those conditions that will nullify the contract and allow the bank to take over processing. In addition to setting the legal parameters, the bank must also plan for the logistical aspects when a processing arrangement terminates. Banks must be clear about the format of the data they will receive in an extract, specify a reasonable timeframe for delivery, and make sure that all definitions and schema are also provided by the vendor.
Short of termination, there are other unforeseen circumstances that can occur. Contracts or service level agreements will include the vendor's incident response plans and when and how suspected or actual events must be communicated to the bank. Liability for data security breaches must be addressed, as well as making sure that the vendor has adequate insurance coverage to support their level of indemnity. Coverage should include any penalties or fines the bank may be subject to in the event of a breach that can be tracked back to negligence or fraud on the part of the provider.
• Square peg, square hole. As mentioned at the start of this piece, banks contracting for public cloud services are buying into a commodity. For most banks, public cloud services are being considered because they can deliver computing capacity at a lower price than on-premises options.
However, banks have higher service requirements than the average business, and some service levels cannot be compromised to reduce costs. Banks must ensure that they are making the right kinds of trade-offs when they procure cloud services, and are choosing a provider that can support a bank's requirements — now and in the future.
Fortunately, public cloud providers make their contract terms and service level agreements publicly available, so banks can educate themselves about the standard options each offers. Although low-cost providers may be attractive, requiring too much customization or additional requirements can diminish the economic returns for the provider, and may not adequately protect the bank.
Best practices dictate that banks seek providers whose standard offerings provide a higher level of service, and can guarantee that they can comply with banking regulations and availability requirements.
Although most banks have experience with traditional outsourcing, and even near-cloud services such as card networks, check image warehouses, and co-location services — for many, the word "cloud" gives them pause. In many ways, accessing shared assets through shared networks is same old, same old for banks. But there are some real differences that banks should focus on when they engage with cloud service providers.
Jeanne Capachin is research vice president with IDC Financial Insights.