IBM Cloud for Financial Services and Promontory Advisory Services provide a holistic and practical approach to an increasingly complex cloud environment.

Data fuels today’s global economy, and like any appreciating asset, whether tangible or virtual, data requires strong privacy and security protections.

While companies and government agencies are steadily migrating sensitive workloads to cloud environments, the heavily regulated financial sector has been less willing to lift and shift their data to a public cloud [1]. According to an IBM commissioned report, financial institutions are only running 9% of their storage, disaster recovery and data archiving applications in the cloud. This hesitancy is due in part to the heavily-regulated nature of financial services, the global growth of privacy and data protection regulations (e.g., European Union’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA)) and restrictions in cross-border data transfers.

This first article in our “Privacy and Security in the Cloud” series provides a high-level overview of how the combination of IBM Cloud for Financial Services™ and Promontory’s advisory services can help clients address their privacy, security, and data protection obligations.

IBM Cloud for Financial Services

The IBM Cloud for Financial Services operates on the IBM public cloud and provides a custom-made, secure environment for financial institutions and their partners to process critical and sensitive workloads. This financial services-centric cloud is designed to enable financial institutions, their independent software vendors (ISVs), Software as a Service (SaaS) providers and IBM Cloud to transact and operate securely and confidently.

Built with-and-for the financial sector

Initially developed with Bank of America, the IBM Cloud for Financial Services has since onboarded other global financial institutions — such as BNP Paribas, Luminor Bank and MUFG —  and is now backed by more than 120 ecosystem partners. This includes SAP, EY, Tata Consultancy Services, ISVs and several SaaS providers that continue to contribute to a secure, compliant and auditable public cloud environment for financial institutions with critical workloads.

“Being able to bring the independent software vendors, software-as-a-service providers and fintechs into an ecosystem with a proactive security and compliance context is really what we’re all about. That will enable a flourishing of adoption of innovation.” — Hillery Hunter, VP & CTO, IBM Cloud

Driving cloud compliance: IBM Cloud Framework for Financial Services

The heart of the IBM Cloud for Financial Services is the IBM Cloud Framework for Financial Services (Framework for Financial Services).

The Framework for Financial Services is comprised of a standard set of controls, architectures and deployment patterns informed by global regulatory requirements for cybersecurity, data security, data privacy and risk management. This also includes ongoing governance by IBM Financial Services Cloud Council and Promontory to ensure currency with new and changed regulations. The Framework for Financial Services currently applies base controls — aligned to the National Institute of Standards and Technology’s (NIST) Special Publication 800-53,Security and Privacy Controls for Information Systems and Organizations [2] — with specific IBM Financial Services guidance providing a common control approach to IBM Cloud services, IBM software and third-party ISV and SaaS providers.

IBM Financial Services Cloud Council

To further inform and influence the IBM Cloud Framework, IBM established the Financial Services Cloud Council (Council), a group of senior executives from global and regional financial institutions leading a focused effort to reduce the risk of cloud consumption across this highly regulated sector. IBM and Promontory work with the Council to help drive an innovative new construct for public cloud centered in cloud privacy and security, enabling cloud adoption for critical workloads.

The Promontory advantage

Promontory helps organizations successfully embark upon and execute large-scale business and technology transformations. Our teams of former industry practitioners, executives and regulators advise clients on key risk, compliance, privacy and operational resilience program elements and regulatory requirements. No matter where a client is in their cloud journey, our teams can assist throughout every stage — from upfront strategic design, through migration and development, to ongoing management.

Promontory’s privacy, risk management and regulatory services

To fully benefit from a cloud transformation, institutions also need a sound target operating model to address future technology, privacy and compliance risks, as well as evolving regulatory and business requirements. Promontory’s services are tailored to the specific size, complexity and needs of a client. Services can be delivered as standalone work efforts or executed as a comprehensive, end-to-end solution.

With offices across the U.S., Europe and Asia, Promontory helps firms integrate technology into their privacy risk management frameworks and develop privacy control frameworks to support compliance with local, national and regional privacy requirements.

Promontory advises organizations on how best to meet their privacy requirements through creating or conducting the following:

• Accountability and governance frameworks
• Privacy compliance assessments
• Privacy risk assessments
• Incident reporting process
• Data localization strategies
• Cross-border data transfer strategies
• Third-party risk management assessments.

Promontory also helps clients to adopt a privacy-by-design (PbD) [3] approach that embeds privacy controls into services, systems and applications at the design stage to avoid compliance gaps and delays. PbD helps ensure that personal data in the cloud is used only for the purposes disclosed to end users.

Promontory’s Cloud Privacy Control Deployment: Bringing order to privacy regulations

The world of global privacy regulations is complex, with a torrent of varying obligations carrying financial and reputational consequences for non-compliance.

Promontory’s Cloud Privacy Control (CPC) Deployment provides a comprehensive and pragmatic approach to privacy compliance in simple and complex private, public and hybrid cloud environments. Designed to align regulatory requirements, industry standards and business needs, the CPC provides a solid baseline for effectively and efficiently managing privacy in the cloud.

Promontory also offers managed privacy services to assist privacy program operations. Scalable and flexible on-demand privacy operations help firms manage day-to-day privacy operations, clear backlogs, address unpredictable volumes of work and reduce costs.

IBM and Promontory provide a full-service cloud experience

IBM Cloud’s security and privacy services — in combination with Promontory’s regulatory advisory services — provide clients with a holistic and practical approach to an increasingly complex cloud environment.

Learn more about the IBM Cloud for Financial Services.

Watch out for our next blog: “Get a Good Night’s Sleep in the Cloud: The Security and Privacy Benefits of IBM and Promontory Services”

[1] Angus Loten, IBM, Bank of America Team Up on Public Cloud Aimed at Banks, Wall Street Journal, November 6, 2019

[2] National Institute of Standards and Technology’s (NIST), Special Publication 800-53, “Security and Privacy Controls for Information Systems and Organizations.”

[3] See also, “IBM Security and Privacy by Design (SPbD@IBM).”