Trusted cloud in regulated industries – addressing resiliency needs of Financial Institutions

Share this post:

The next generation cloud offering should match the needs of EU businesses and public organizations, empowering them to run mission-critical workloads aligned to their business processes especially in regulated industries. At IBM, we work tirelessly to enable exactly that.

How IBM ensures continuous compliance posture management, aligned with the requirements from global regulators

Liam Benham, IBM Europe’s Vice President for Government & Regulatory Affairs has said “regulators and businesses cannot control the future, but they can choose to allow for optionality when implementing decisions today to ensure that they are future-proof for tomorrow.” And the European Commission’s upcoming Digital Operational Resilience Act (DORA) is a case in point.

IBM’s readiness for DORA and similar legislative proposals began many years ago, as we were the first to be regulated in the US as part of the Federal Banking Agencies audit programme. In Europe, IBM has gone a step further to help banking clients meet the EBA outsourcing guidelines, by introducing the “EBA Cloud Compliance Certificate”, a first of its kind approach to embed compliance alignment in our operations and contracts.

To continue building greater trust and synergistic outcomes for the financial services sector, IBM became the first cloud provider to develop an industry-specific cloud for financial services in 2019. Built in collaboration with Bank of America, the IBM Cloud for Financial Services was designed to address the industry’s unique cybersecurity and regulatory requirements, while providing the benefits and flexibility of a public cloud in a secured environment.

At its heart is the Cloud for FS Control Framework, which enables financial institutions (FIs) to address their regulatory compliance and risk management obligations with a comprehensive set of pre-configured and industry-specific controls. Pending DORA’s entry into force, the Framework will be reviewed and updated as needed so that all FIs, ISVs, and FinTechs can continue to confidently host their applications and workloads in a trusted cloud environment.

The IBM Financial Services Cloud Council is where more than 90 experts from over 60 financial institutions convene to collaborate and continuously inform controls that are required to operate securely with bank-sensitive data in the cloud. This network of experts – comprised of CIOs, CTOs, CISOs, and Compliance and Risk Officers – has come together to co-create and drive the direction of cloud adoption for mission-critical workloads in this highly regulated sector.

Recently, the Council worked together to create an industry-centric cloud metrics model to address hybrid, multicloud governance and reporting. Geared towards different organizational levels and expanding on DORA’s requirements for ICT Risk Management framework and governance, this set of metrics helps build a holistic picture for leadership to understand overall enterprise risk.

Resiliency as a means, not an end

IBM has always been a front-running thought leader in realising that the world is hybrid. We know our customers need to run applications on-premises and off-premises with multiple clouds, driving transformative business value with maximum optionality. The evolving nature of risk and resiliency in the increasingly digitalized landscape of financial services is why we aim to empower our clients with the ability to consistently measure, mitigate, monitor, and report on cloud risk and control effectiveness across a multi-cloud, multi-vendor environment.

We are deeply committed to supporting our European FI clients in addressing the challenges of cloud outsourcing in compliance with the EBA Guidelines on outsourcing arrangements, DORA and its upcoming Regulatory Technical Standards. With the help of Promontory Financial Group, an IBM Company, we are continuously monitoring for new and evolving rules and regulations, assuring a ’fit-for-purpose’ cloud risk operating model, compliance and risk management system.

Based on our existing capabilities within IBM Cloud for Financial Services and ongoing dialogue and collaboration with FIs and regulators via the FS Council, we put great emphasis on:

• Stronger data safeguarding practices including data encryption techniques and key management practices

At IBM, we strongly believe in protecting our clients’ data through technical measures and welcome the focus on security, resiliency, and data protection within DORA. IBM uses encryption, both when data is in transit and ‘at rest’ by offering Bring Your Own Key (BYOK) and Keep Your Own Key (KYOK) technologies which allow clients to hold the encryption keys that protect and control access to data. We also aim to protect ‘data-in-use’ via IBM’s Confidential Computing which helps keep data continuously encrypted, including when it is being processed in memory for business applications and processes.

• Securely deploying cloud services anywhere and allowing data to remain in-country

With IBM Cloud Satellite, we’re bringing the modern architecture of public cloud to the financial sector. With an extended set of security, compliance and risk management controls FIs can run their cloud services in any environment they choose – on-premises, at the edge or across multiple public clouds. Additionally, for those clients who prefer it, IBM’s EU-only option ensures that clients’ data are stored and processed in the EU and that EU-based personnel make updates and perform operations of cloud services.

• Portability and interoperability as cloud gateways to legacy IT systems of FIs

Europe needs a more competitive market, which supports innovation, prevents vendor lock-in and nurtures data portability to drive transformation. As European organizations increasingly adopt cloud technology, they must remember that undue risk may be incurred through over-dependence on cloud services from a single provider and its data centres. IBM has a long history of commitment to open source innovation, advocating against vendor lock-in and in favour of a multi-vendor strategy. Our strategy has always supported the freedom of choice and flexibility which are critical for our clients’ success.

Enabling Financial Institutions to assess different categories of risk affecting their business

Enabling European clients to deploy mission-critical workloads with high levels of security and address their data sovereignty and regulatory compliance requirements is a core part of our mission.

Against the backdrop of a challenging regulatory business, and threat landscape, we are working to ensure that our clients can architect at the highest levels of control to allow for speed of execution as they securely adopt cloud services.

IBM is ready to help companies on their journey to upcoming DORA Compliance, as we work together to:

• Conduct maturity assessments in order to identify gaps and draft mitigations plans according to DORA requirements
• Leverage the work done to comply with the previously enforced EBA guidelines on outsourcing to deliver and register all outsourcing arrangements
• Start working on different testing scenarios including vulnerability tests, physical security reviews, penetration testing, red teaming/adversary simulation etc. – to raise maturity level of their teams in respect of transversal security management
• Implement the changes up through the compliance and remediation stages to ensure there is clear alignments between business and IT objectives.

As regulations are evolving to meet the ever-increasing needs for more data security and privacy in a digitalized world, IBM is committed to enhance its cloud technologies, processes and controls to cement its position as the trusted cloud provider in the EU.