Why Cloud adoption in the Finance Sector is still lagging
December 2015 by ENISA
Limitations to a consistent regulatory framework and the broad adoption of good practices deters financial institutions from taking advantage of the benefits of cloud computing.
Cloud Computing is currently widely used in several sectors, however, its adoption in the Financial Sector remains low. ENISA engaged Financial Institutions (FI), National Financial Supervisory Authorities (NFSA) and Cloud Service Providers (CSP) in a study to analyse the slow uptake of cloud services and provide possible explanations related to the speed of adoption of these services by the financial sector.
This study identified several causes for this slow uptake, including: inconsistent regulatory guidelines on cloud deployment, and concerns about security and data privacy jurisdictions across EU Member States. For example, almost half of the Financial Institutions surveyed have not developed a cloud risk assessment even though they are aware of specific risks associated with Cloud Computing. Furthermore, although NFSAs are also aware of the risks of cloud computing, they are insufficiently informed about the security measures implemented by CSPs at all times.
CSPs have difficulties offering services to Financial Institutions due to differences in security and privacy requirements across EU member states, such as the implementation of privacy requirements that are the responsibility of national Data Protection Authorities (DPAs) and not of NFSAs.
ENISA, in cooperation with the European Banking Authority (EBA), held a workshop in October 2015 to further enhance and validate the results. Participants openly discussed the challenges and debated about the possible causes and potential solutions. Following the discussions and analysis, ENISA issues "Secure Use of Cloud Computing in the Finance Sector" that includes the following key recommendations:
• Financial Institutions, National Financial Supervisory Authorities and Cloud Service Providers should co-operate to develop a consistent regulatory framework for the secure adoption of Cloud computing based on widely used good practices and standards,
• Financial Institutions should develop and implement a risk assessment approach to cloud computing and integrate it with existing corporate risk management processes
• Cloud service providers should do their utmost to enhance the transparency of their service offerings and comply with any regulatory provision and widely accepted good practices and standards in the area.
Udo Helmbrecht, Executive Director of ENISA, said: “The secure adoption of cloud computing will offer significant competitive advantages to the financial institutions. ENISA will work with all relevant stakeholders to support in this direction”.
ENISA continues to work with communities and industry in order to bring knowledge and provide assistance in dealing with information security issues in a specific sector. The agency is engaged through different working groups in the area of Finance to provide exchange of information and good practices in the field of information security.