Back to General Resources

Cloud Outsourcing Issues and Considerations

Dated: July 16, 2024

Introduction:

The U.S. Department of the Treasury (“Treasury”) completed a report in February 2023, The Financial
Services Sector’s Adoption of Cloud Services1 (“Treasury Cloud Report”), to explore how the use of cloud
services may affect the financial services sector’s operational resilience. The Treasury Cloud Report
identified six primary challenges associated with financial institutions’ (FIs) acceleration of cloud
adoption and related oversight including:

  1. Insufficient Transparency to Support Due Diligence and Monitoring by Financial Institutions
  2. Gaps in Human Capital and Tools to Securely Deploy Cloud Services
  3. Exposure To Potential Operational Incidents, Including from Incidents Originating at a CSP
  4. Potential Impact of Market Concentration In Cloud Service Offerings on The Sector’s Resilience
  5. Dynamics In Contract Negotiation Given Market Concentration
  6. International Landscape and Regulatory Fragmentation

FBIIC-FSSCC Cloud Workstreams

After publishing the Treasury Cloud Report, Treasury developed a roadmap for addressing the six
primary challenges through several FBIIC2-led, FSSCC3-led and FBIIC-FSSCC jointly-led workstreams to
develop potential solutions and mitigation strategies. Three FSSCC-led workstreams were created with
the intent to develop collaborative solutions between FSSCC member firms and associations and cloud
service providers (CSPs) to enable FIs to meet regulatory expectations and maintain resiliency when
using cloud services more easily. The FSSCC-led workstreams were:

  1. Cloud Profile Refinement and Adoption
  2. Cloud Outsourcing Issues and Considerations
  3. Improving Transparency and Monitoring of Cloud Services for Better “Security by Design/Default”

This paper reflects the work of the Cloud Outsourcing Issues and Considerations workstream (“the
workstream”), which is comprised of experts from FSSCC member firms and associations. The
objective of the workstream is to address challenges raised in the Treasury Cloud Report related to
transparency, resource gaps, exposure to operational incidents originating at CSPs. To meet this
objective, the workstream developed this paper to identify the key issues for Fis to consider when
obtaining services from CSPs.

Workstream participants developed these key considerations based on current regulatory
expectations and challenges that FIs face to ensure their contracts with CSPs include the most
appropriate provisions. The key considerations paper should be used as a voluntary reference tool by
FIs to appropriately address cybersecurity, resilience, and third party-due diligence expectations, and
to help enable FIs meet regulatory requirements and expectations.

Download Report