On February 8, 2023, the U.S. Department of the Treasury released a report citing its “findings on the current state of cloud adoption in the sector, including potential benefits and challenges associated with increased adoption.” Treasury acknowledged that cloud adoption is an “important component” of a financial institution’s overall technology and business strategy, but also warned the industry about the harm a technical breakdown or cyberattack could have on the public given financial institutions’ reliance on a few large cloud service providers. The Treasury also noted that “[t]his report does not impose any new requirements or standards applicable to regulated financial institutions and is not intended to endorse or discourage the use of any specific provider or cloud services more generally.”
The Treasury report focused on six thematic areas that, if left unaddressed, may detract from the potential benefits of cloud services in the financial sector. These concerns are: (1) insufficient transparency to support due diligence and monitoring by financial institutions; (2) gaps in human capital and a lack of tools to securely deploy cloud services; (3) exposure to potential operational incidents, including those originating at a cloud service provider; (4) the potential impact of market concentration in cloud service offerings; (5) dynamics in contract negotiations given market concentration; and (6) the fragmented regulatory framework. To combat these concerns, the Treasury plans to convene a group of financial regulators to study the cloud-computing industry and recommend ways to manage the potential risks.
Pillsbury’s Cloud Team has been advising clients on these potential risk areas in strategic cloud deals for nearly a decade, so we have witnessed these trends and challenges firsthand. In particular, we are attuned to the point Treasury raised regarding the unique dynamics in contract negotiations as compared to other SaaS service providers, especially with respect to cloud service providers becoming increasingly aggressive in shifting legal risks to customers. Examples of this strategy include but are not limited to:
- Imposing even more aggressive limitations of liability (or even disclaiming liability altogether) if there is a data breach arising in the cloud service.
- Requiring contractual language that prohibits customers from providing sensitive information (i.e., personal information) for processing by certain elements of the cloud service. Such a requirement effectively limits the cloud service provider’s liability for the risk of data breach liability.
- Requiring customers to acquire additional insurance to cover the costs of a security breach.
- Providing exclusive remedies for certain failures, such as de minimis service level credits for unavailability of the services, as opposed to customers’ rights to pursue damages. Cloud service providers also regularly impose cumbersome administrative burdens on customers before they can even recover service level credits.
- Requiring customers to commit contractually to the cloud service provider’s security requirements, and if the customer fails to comply, then the cloud service provider has no liability for any security or unavailability issues.
- Imposing extremely broad requirements that the customer indemnify the cloud service provider for the customer’s use of the service.
The Treasury report shows that regulators are keenly interested in how financial institutions are using the cloud. As cloud service providers get more aggressive in pushing certain risks on their customers, financial institutions may face increased regulatory exposure. As a result, there may be a few ways customers can mitigate that risk:
Leverage. Despite the Treasury report noting “negotiating contracts with [cloud service providers] to be challenging,” financial institution customers should remember that, as the customer, there is some leverage. Despite the concentration in cloud service offerings, the competition among service providers is fierce. Most cloud service providers are pushing hard to land large cloud commitments from financial institution customers and even pressing for contractually binding public commitments from customers to use one cloud environment over another.
Regulatory Muscle. Financial institution customers can, and should, use their regulatory requirements to their advantage. While most of the cloud service providers are sophisticated technology companies, they may not necessarily be experts in financial regulations. If a financial institution determines that a cloud service provider is not meeting the institution’s regulatory requirements, then the institution should press the provider on those requirements. Cloud service providers’ forms are regularly updated, and often those updates are because financial institutions push back on contractual areas where the cloud service provider may be falling short.
Negotiate, Negotiate, Negotiate. Financial institution customers should continue to persistently negotiate for contractual protections, including the ability to seek sufficient damages, arising in connection with security and privacy-related incidents in the cloud service. The Treasury report highlights this as a particular challenge for financial institutions, which also means that data breach risk should be prioritized as one of the most important deal terms to negotiate.
Security Measures. Financial institution customers can mitigate their own data breach risk by implementing robust and regulatorily compliant internal security measures, including meeting requirements set by the cloud service provider and actively monitoring those security services. Security measures should include (but are not limited to) appropriate encryption requirements, access controls, testing and monitoring, incident response planning, data backup, and disaster recovery.
Audit Rights. Financial institution customers should be able to secure sufficient monitoring and audit rights of the cloud service provider. Customers can mitigate their risk by exercising those rights—i.e., conducing penetration testing, requesting information via audit, and setting up a process to review all compliance materials that cloud service providers make available through their public customer portals.
Embrace the Multicloud. Financial institution customers should pursue a multicloud strategy. Cloud environment switching costs are already high enough, but if a customer dedicates itself only to one cloud environment, then the cost to switch to a new provider becomes even steeper. A customer should avoid financial commitments or limitations on termination rights that disable the customer’s ability to shift to other suppliers. In addition, if the customer can diversify where it puts its cloud workloads, then this strategy will mitigate the risk of a service outage or security incident.
Notwithstanding these controls, the reality remains that increased reliance on a limited array of cloud providers could create concentrated and unavoidable risks for financial institutions. While cloud computing has become the standard for digital transformations across the market, there is undoubtedly uncharted territory and unpredictable risk. Both heightened concerns from the government and aggressive posturing by cloud service providers means that financial institutions should review their contracts to better understand their risk exposure, determine whether their agreements could include more favorable protections, and assess whether any additional precautions should be taken. In light of Treasury guidance, financial institutions should be hyper aware of regulatory changes and increased efforts by cloud services providers to pass off the risk associated with cloud computing in the financial sector.