SAN FRANCISCO — At a cybersecurity conference on Monday, leaders for financial services firms lamented what they called monopolization in the cloud services industry, saying the consolidated power of the largest providers in the space have made them unresponsive to financial companies' security concerns about their information technology supply chain.
Cybersecurity in the IT supply chain has been a focus for banks and regulators in recent years, particularly as regulators crack down on banks that fail to practice due diligence in vetting their technology partners.
At the RSA Conference, cybersecurity leaders for financial services companies Visa, Deluxe and Fiserv said that while they have been able to persuade many of their technology partners to improve their security standards to meet the companies' needs, the same cannot be said for cloud service providers.
Though the chief information security officers did not call out any particular cloud provider by name, recent research by the market intelligence firm Synergy Research Group shows that Amazon Web Services had 31% of the cloud services market share in the first quarter this year, Microsoft Azure had 25%, and Google Cloud had 11%.
Visa has set increasingly tight cybersecurity requirements for vendors in recent years as a means of securing its supply chain, according to CISO Subra Kumaraswamy, but there is still "a long way to go" to understand the exact security posture of a given vendor.
"If you look back at SolarWinds," Kumaraswamy said, referring to the major cybersecurity incident in 2020 involving the network monitoring software provider, "the entire process was, of course, not visible to the customers. But now with some of the secure-by-design requirements and ensuring that we can hold our vendors accountable, there's going to be a lot more appetite to share [security bills of materials], share about their practices, and give the right to test and audit in real time."
When dealing with large monopolies, asking for additional features and functions that improve cybersecurity or transparency into a firm's security stance often means paying extra, according to Clarissa Banks, CISO for the payments company Deluxe. "They want to charge for it," she said, even though the cybersecurity features constitute "foundational controls that you would expect regardless" from the product.
Vendors need to understand that the heightened cybersecurity practices financial firms demand are a potential selling point to prospective customers, according to Norma Krayem, vice president and chair of the cybersecurity, privacy and digital innovation practice at the lobbyist group Van Scoyoc Associates. Krayem is also the director of the cyber council for the American Transaction Processors Coalition, a payments industry trade group.
The rapid pace of innovation, reliance on a web of vendors and regulatory scrutiny means fourth-party risk is a more pressing consideration than in the past.
"They're understanding when they're talking to our folks, that if they're doing these things, they can actually sell that as a marketing perspective. That's good for everybody," Krayem said.
"But," Krayem went on, "we do have one aspect of the supply chain that's very tough, even sometimes for us. When we talk about cloud providers, that has been a difficult issue not just for us but certainly for all industries."
Krayem alluded to a 2023 report from the Treasury Department that analyzed the financial industry's cloud adoption. Among the report's conclusions, it said "the current cloud services market is concentrated around a small number of service providers," which has "potential benefits" but also exposes many financial services companies "to the same set of physical or cyber risks."
The U.S. government is aware of this problem as well, according to Rick Van Luvender, senior vice president and head of cybersecurity international and cyber outreach for the core banking software provider Fiserv. He said he learned in a meeting with Treasury officials that they have also been unable to negotiate with the cloud providers.
"I think the perception being understood widely is also important that we've got to change the behavior there," Van Luvender said. "We've got to get them to be more accommodating. But for the past couple of years, they haven't been. Hopefully things will change in the near future now."
As a final thought on the matter, Krayem mentioned
"There is the requirement now to have minimum security standards across all [critical infrastructure industries]," Krayem said. "Hopefully that will help us, and obviously it's something that we're going to be working on in the cyber council."
