Getting Cloud right: How can banks stay ahead of the curve?

Cloud’s benefits and value for banks: Cloud enables banks to improve their business agility, drive innovation by tapping into cutting-edge technology, leverage industry-specific solutions, and shift their spending paradigm from CapEx to OpEx.

Why have banks been reluctant to use cloud? So far, regulations, combined with data security and the challenges of cloud transformation, including risks associated with outsourcing critical processes, have discouraged many banks from adopting cloud services. In comparison, major cloud service providers have increased their global physical presence, and in some cases resolved issues regarding the obligation to host data within the country where the data is collected. Transformation challenges can be overcome by adopting a structured approach to adopting the cloud. A thorough risk assessment and an ongoing vendor management process (i.e. an ongoing process aiming at nurturing and developing the relationship with the vendor to get the most out of their products) should enable banks to mitigate data risks and third party risks.

Key success factors for cloud transformation: Cloud transformation projects must start with defining a ‘cloud strategy’ closely aligned with the organisation’s broader business strategy, followed by complying with risk management and governance requirements, with a financial analysis justifying the investment. The subsequent actual migration to the cloud will call for a corporate culture change to drive innovation and fully leverage cloud capabilities.

Compliance with regulatory requirements: Using cloud services raises questions about regulatory compliance, because processing sensitive information or client identifying data (CID) is subject to national regulations. These have prevented many banks from embracing the cloud. Since regulations differ between countries, this report presents the EBA considerations (see sidebar for CSSF specific rules).

Cloud cyber security: Cloud services extend the IT footprint of organisations, thereby increasing the risk of cyberattacks. This means that robust arrangements for cyber security should be implemented. These should cover seven cyber domains: network and infrastructure security; identity and access management (IAM); data protection; logging and monitoring; resilience; DevSecOps; and governance, risk and compliance.

How to select the right cloud service provider: Finding the right cloud service provider depends on your cloud strategy and the current and future technology operating model you are planning. Deloitte recommends a framework for assessing your operating model and the service offerings of potential cloud service providers from a range of different perspectives: regulatory aspects, compliance, cyber security, and technology issues.