By Mark Wetjen, Head of Global Public Policy at the DTCC:
Cloud computing has reached a pivotal point and market infrastructures are evaluating opportunities to expand the use of the cloud more broadly across external services and applications where most appropriate. This is because many cloud operations have reached new levels of robustness and sophistication, which many large corporates are unable to achieve with respect to performance, security, cost and scale.
For market infrastructures, the key to a successful cloud computing strategy will be to work in collaboration with regulators and policy makers to ensure that mandates and compliance obligations are met. Moreover, it is essential that any cloud implementation strategy is in line with the abundance of guidance which has been provided for such initiatives, including best practice guidelines.
Testament to regulator confidence in the public cloud is that many regulatory agencies themselves are using the cloud in the provision of their services. The SEC has migrated a number of applications to the cloud including its response tracking system, while FINRA has moved 75% of its operations to Amazon Web Services.
So, what are the conditions which regulators have set for the use of the public cloud in financial markets and in particular market infrastructure? The prerequisite for regulators agreeing to allow market infrastructures to outsource certain operations to a public cloud provider is that the overall responsibility for the services and data must reside wholly with the market infrastructure. This includes governance, such as policy definition, management (including contracts, service levels and monitoring), Service Level Agreement (SLA) reviews and control audits. While cloud vendors and their related software services may have the most sophisticated security capabilities, best practice guidelines from policy makers and regulators state that the controls, configurations and access management should still be overseen by the market infrastructure.
Based on this best practice cloud computing model, there are four main areas related to policy and regulation, as well as security, which market infrastructures should address when devising cloud strategies.
The first area is around the confidentiality of data - the regulated market infrastructure's security policy for outsourcing and cloud services must provide ample safeguards to ensure data remains secure. Regardless of the level of the cloud provider's data security, the responsibility for data protection and the ownership of it resides with the market infrastructure. Its cloud policy therefore must ensure that the cloud system in place protects and/or encrypts sensitive data and mitigates any encryption key management concerns.
The second key area of concern is data integrity. The market infrastructure must have adequate data controls and procedures in place to validate and verify the reliability of its outsourced and cloud-hosted data, as well as strict policies around data retention. In short, the market infrastructure must ensure it is able to prevent data from being altered or destroyed under any circumstance.
Continuity of service is the third key consideration - market infrastructures must ensure continuous data availability. As a result, cloud vendors are required to have adequate disaster recovery and business continuity planning, as well as to commit to providing essential communication links.
Auditing is the fourth area which should be addressed. Cloud vendors interested in partnering with market infrastructures must be able to demonstrate a proven track record of working with regulated entities and ensure that they can meet current compliance requirements, specifically related to required reporting and safeguarding of sensitive information. Appropriate auditing tools should be used by the regulated market infrastructure in order to ensure that the cloud vendor's internal controls are adequate.
These are the primary policy and regulatory considerations which market infrastructures must take into account when implementing a cloud strategy. Should market infrastructures be able to comply with these best practices and standards, the public cloud can provide greater efficiency and security than private in-house data centres.
DTCC has been using cloud services for more than five years and we are now evaluating opportunities to expand the use of the cloud more broadly across external services and applications. We believe that the benefits of using the cloud will continue to increase as public cloud providers invest even more resources in its development.
All that said, to ensure and maintain a successful cloud strategy, it is essential that market infrastructures and other financial market participants do so based on best practice guidelines which have been provided by regulators. If this approach is adopted, we believe that the efficiency, resiliency and security of global financial markets will be considerably enhanced.