How to Protect Financial Data in the Cloud: The US Department of Treasury and FSSCC Have the Answer

The US Department of Treasury and the Financial Services Sector Coordinating Council (FSSCC) released a comprehensive suite of resources aimed at guiding financial institutions in their secure cloud adoption journey.

These deliverables result from a year-long collaboration between the Financial and Banking Information Infrastructure Committee (FBIIC) and the FSSCC, under the leadership of the U.S. Department of the Treasury’s Cloud Executive Steering Group (CESG), established in May 2023.

The CESG was created at the direction of the Financial Stability Oversight Council (FSOC) to address gaps identified in Treasury’s landmark report on the Financial Services Sector’s Adoption of Cloud Services.

This initiative aims to provide financial institutions with effective practices for secure cloud adoption and operations and to establish an ongoing effort to address identified gaps.

US Department of Treasury Key Deliverables and Objectives

The published documents target several key areas:

1. Common Lexicon Development: Establishing a standardized set of terms for financial institutions and regulators to use in discussions regarding cloud services.
2. Enhanced Information Sharing: Improving coordination for the examination of cloud service providers.
3. Oversight Assessment: Evaluating existing authorities for overseeing cloud service providers (CSPs).
4. Third-Party Risk Best Practices: Developing best practices for managing risks associated with CSPs, outsourcing, and due diligence processes.
5. Cloud Adoption Roadmap: Providing a detailed roadmap for financial institutions considering comprehensive or hybrid cloud adoption strategies.
6. Security by Design: Enhancing transparency and monitoring of cloud services to ensure better security practices from the outset.

“The completion of these two efforts is the culmination of nearly two years of collaboration to further protect our financial system,” said Deputy Secretary of the Treasury, Wally Adeyemo. “The CESG is now a proven model and a new way for the financial services sector to effectively address our most significant cybersecurity challenges.”

“Our financial system is essential infrastructure for the entire economy, and it is deeply reliant on a handful of powerful Big Tech cloud service providers,” stated Consumer Financial Protection Bureau Director Rohit Chopra. “Our work will help protect the financial industry from outages and disruption by leveling the playing field between financial firms of all sizes and big cloud service providers.”

“Banks and other financial services firms know they must adapt to new technologies, but many have been uncertain as to how to do so safely and soundly,” said Acting Comptroller of the Currency Michael J. Hsu. “Today’s publications mark a significant step forward by providing a roadmap and helpful resources for banks of all sizes. These documents also clarify cloud service providers’ responsibilities for ensuring a secure and resilient financial system.”

“These documents are an important step forward in the CESG’s effort to make the cloud safer and more resilient within and beyond the financial services industry,” remarked Bill Demchak, Chairman and CEO of PNC Financial Services Group. “The strong partnership between public- and private-sector leaders allows us to take a more holistic, collaborative approach to defending against evolving threats.”

Workstreams and Outputs

The CESG model represents an unprecedented level of public-private partnership between the US Department of Treasury, FBIIC, FSSCC, and CSPs. The following workstreams were led by the FSSCC:

1. Cloud Profile 2.0: A cloud security implementation plan for financial institutions of all sizes, developed by the FSSCC Cloud Profile Workstream and the Cyber Risk Institute (CRI). This framework is based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
2. Financial Sector Cloud Outsourcing Issues and Considerations: Addressing transparency, resource gaps, and operational risks, this document was co-authored by the FSSCC Cloud Outsourcing Issues and Considerations Workstream and the American Bankers Association (ABA), with support from the Securities Industry and Financial Markets Association (SIFMA).
3. Transparency and Monitoring for Better “Secure-by-Design”: This document includes a service inter-dependency and resilience model and proposes baseline security outcomes and simplified cloud configurations for financial institutions, developed by the FSSCC Transparency and Monitoring Secure-by-Design Workstream and the Financial Services Information Sharing and Analysis Center (FS-ISAC).

Additionally, the FBIIC led the development of:

1. Cloud Lexicon: A foundational document standardizing cloud terminology for financial institutions and CSPs, led by the Office of the Comptroller of the Currency (OCC).
2. Coordinated Information Sharing and Examinations Initiative: Enhancing coordination between agencies for CSP examination and information sharing, led by the Consumer Financial Protection Bureau (CFPB).

Future Plans

Under the joint leadership of the FBIIC and FSSCC, the U.S. Treasury and FSSCC plan to publish additional resources related to cloud cyber incident response coordination and cloud concentration risk throughout the year. These efforts aim to integrate CESG deliverables into broader regulatory, oversight, and examination frameworks, thereby strengthening the shared responsibility model for cloud services in the financial sector.