The Federal Trade Commission (FTC) and Department of the Treasury (DOT) have taken steps to provide guidance and oversight for businesses using cloud services, signaling increased scrutiny from federal regulators on the use of cloud services. These initiatives have significant implications for regulated industries, including the financial services sector, which must navigate a complex landscape of compliance requirements and security concerns as they seek to take advantage of the benefits of the cloud.

The FTC recently issued a request for information (RFI) asking users of cloud services, academics, civil society groups, industry participants, and other stakeholders to comment on business practices of cloud computing providers. In particular, the FTC is “seeking information about the competitive dynamics of cloud computing, the extent to which certain segments of the economy are reliant on cloud service providers (CSPs), and the security risks associated with the industry’s business practices.”

The FTC’s RFI comes after the agency’s recent enforcement actions against Drizly and Chegg, which failed to implement basic security safeguards to protect data stored on third-party cloud computing services. Chegg Inc. stored personal data on its cloud storage databases in plain text and employed outdated and weak encryption, while Drizly failed to implement basic security measures and neglected to monitor security threats, resulting in data breaches. While generally applicable to the FTC’s understanding of reliance on CSPs in the broader U.S. economy, the FTC is also interested in the impact of cloud services on specific industries (including regulated industries), such as healthcare, finance, transportation, e-commerce, and defense.

The FTC’s RFI and enforcement actions dovetail with a recent report from the DOT and the Financial and Banking Information Infrastructure Committee (FBIIC) on challenges facing financial institutions when adopting cloud services. Businesses should be aware of these risks when deploying cloud services in a “safe, secure, and responsible” manner:

1. Insufficient Transparency — The DOT found a range of views and concerns with respect to insufficient transparency around public cloud services in support of due diligence and monitoring efforts of financial institutions. The report specifically identifies risks associated with “nth party” dependencies, i.e., dependencies on vendors of the CSP (and their vendor’s vendors) that are obscured due to the distributed nature of providing cloud services. Ultimately, the DOT concluded that further efforts are needed to achieve the right balance of information sharing between CSPs and financial institutions.
2. Gaps in Human Capital and Tools — There is a disproportionate sharing of risk and operational responsibility between CSPs and financial institutions based on relative expertise, particularly for small and medium-sized financial institutions. For example, small to medium-sized financial institutions may lack the technical expertise to configure cloud services to apply principles of least privilege. This misconfiguration, when duplicated across multiple systems, creates vulnerabilities that may be repeatedly exploited.
3. Exposure to Potential Operational Incidents — Financial institutions conveyed there were gaps in their ability to assess the resilience of their cloud service configurations. Financial institutions indicated that some CSPs may provide limited cooperation in direct testing of their business resumption and recovery capabilities and focused on lack of recovery time objectives (RTOs) and recovery point objectives (RPOs) in existing CSP contracts, lack of detail regarding resilience dependencies, technical challenges posed by failover of services in multiple geographic regions, and costs associated with addressing those challenges.
4. Impact of Market Concentration in Cloud Service Offerings — The report highlights the potential impact of market concentration in cloud service offerings, particularly among the three major CSPs: AWS, GCP, and Microsoft Azure. A significant system outage or data breach at any one of these CSPs could impact multiple financial institutions and U.S. consumers. Given the trend of increasing adoption of CSP offerings, the report noted that financial institutions are stressing the need for CSPs to participate in sector-specific exercises to help regulators and financial institutions better understand the impact of an operational incident to cloud services.
5. Dynamics of Contract Negotiation — The availability of CSP offerings across multiple jurisdictions and clients has resulted in asymmetric negotiating power between CSPs and financial institutions. The concentration of the market for cloud services in a few major players (especially AWS, GCP, and Microsoft Azure) exacerbates the difficulties of negotiation, with larger financial institutions often receiving more favorable treatment than small and medium-sized ones.
6. International Landscape and Regulatory Fragmentation — Deploying cloud services for financial institutions with a multi-national presence can be challenging given the complex and ever-changing web of international rules and regulations. Foreign regulators have a higher level of scrutiny over the use of cloud services (including, e.g., requirements for data localization), which can impede consistent adoption of cloud services by organizations with a multi-national presence thereby increasing operational and performance risks.

To address the challenges identified in this report, the DOT plans to establish an interagency Cloud Services Steering Group to coordinate on issues raised in this report, conduct follow-up tabletop exercises involving CSPs and the financial sector, and develop options or approaches with respect to interagency coordination and collaboration, common definitions and terms, sector-wide measurement, incident response, and financial institution risk management practices for cloud services. The DOT will also continue to support the development of international standards, principles, and recommendations, as appropriate, and improve international coordination with key partners. Additionally, the DOT will consider fostering industry consensus and strengthening avenues for communication with the private sector.

The DOT’s efforts are primarily focused on industry trends and the overall impact of cloud services on the financial services sector rather than individual financial institutions. The DOT recognizes that each organization’s cloud strategy is individualized and must take into consideration a variety of inputs including risk tolerance, user base, business objectives, and budgetary constraints. While the DOT report recognizes the risks and challenges faced by adopting cloud services, it is still up to individual financial institutions to address the risks identified in the report.

The recent enforcement actions taken by the FTC against companies using CSPs, the FTC’s RFI, and the recent report released by the DOT indicate a growing awareness and scrutiny by federal regulators regarding the impact of CSPs on the broader economy, especially regulated industries (including healthcare and financial services).