As the financial sector continues to adopt cloud technology, regulatory frameworks such as the updated NIS2 Directive and the Digital Operational Resilience Act (DORA) are shaping the cybersecurity landscape. Every second counts in such a complex environment: attackers can move quickly in the cloud, so defenders must change their strategies and tools to keep up. The financial sector has always been a prime target for cyber attacks, with the average breach costing almost 6 million US dollars. This makes cloud security regulations in financial services more important than ever.
Cybersecurity is a significant concern for FSI executives, with 68% identifying it as a barrier to abducting new technologies. Regulatory pressure has increased, especially recently, with the arrival of the NIS2 directive and the DORA regulation in the European Union and the SEC disclosure guidelines in the United States. To meet compliance requirements, FSI providers must strive to detect incidents within a reasonable time frame.
A recent panel discussion organised by Sysdig gathered industry and regulatory experts to address the journey to the cloud in the context of growing pressure from cloud security regulations in financial services. Missed it? Fear not: this article covers the key takeaways.
Embracing the cloud: a balancing act
A multitude of factors drives cloud adoption in the financial sector. From needing to modernize legacy systems to wanting increased operational efficiency and innovation, financial institutions increasingly turn to cloud technology to stay competitive. Our participants hailing from UBS and Santander underlined that migration to cloud services offers many benefits to financial institutions: cost efficiency, flexibility, scalability, and enhanced visibility.
“Scalability and monitoring are at an arm’s length—now I can just go to an API, take the data I need, and slice and dice it in any way.”
Matt Adams, Enterprise Security Architect, Santander
However, this transition has its challenges. One of the primary concerns surrounding cloud adoption is adopting a ‘cloud culture’ when it boils down to innovation and, more broadly, what tech teams can do differently in a cloud-native environment. This shift necessitates upskilling, reskilling, and internal negotiations to redefine team roles and responsibilities. This transformation requires clear communication and effective change management to ensure all team members understand the importance of adhering to new security standards and embracing their evolving organisational roles. Thus, planning, roadmaps and division of labour become paramount as roles such as FinOps emerge.
The right approach to cloud security is another challenge. “The real thing with the cloud is the configuration of the cloud and the cloud resources. Many people think that a lot of the resources provided by cloud service providers are secure out of the box. There is work that needs to be done,” highlighted one of the participants. Vulnerability management and threat detection happen differently in cloud-native environments than in traditional, on-premise architectures and practices.
The shift towards cloud-based infrastructure and the resultant influx of data has compelled organizations to reevaluate their monitoring and action prioritization strategies. Striking a balance is crucial, as the volume of data generated from cloud trail alerts and budgetary alarms can quickly become overwhelming. Consequently, organizations increasingly adopt a risk-based approach that identifies critical alerts and prioritises actions accordingly. This necessitates a concerted effort among teams to determine which alarms signify high-risk situations, demand immediate attention, and establish non-negotiable security configurations for particular environments.
“The desire to be reactive, to focus on what matters, was always there, but perhaps not the urgency. Now the urgency is there because the data is there.”
Anna Belak, Director, Office of Cybersecurity Strategy, Sysdig
Navigating regulatory frameworks: enter NIS2 and DORA
In the wake of increasing cyber threats and vulnerabilities, regulators have introduced stringent frameworks to bolster cybersecurity in the financial sector. The NIS2 Directive and the Digital Operational Resilience Act (DORA) are two such frameworks.
The NIS2 Directive aims to enhance the cybersecurity and resilience of critical infrastructure across the European Union. It imposes obligations on financial institutions to implement robust cybersecurity measures, report security incidents, and cooperate with competent authorities and other stakeholders.
DORA focuses on ensuring financial institutions’ operational resilience and cybersecurity, particularly those deemed systemically important. It mandates firms to identify and mitigate operational risks, including those arising from cyber threats, and to maintain essential business services during disruptions.
While both frameworks share common objectives, they differ in scope and requirements. NIS2 primarily targets operators of essential services in the EU (e.g., energy, transport, digital infrastructure), while DORA applies specifically to financial institutions. Moreover, DORA emphasises operational resilience, encompassing cybersecurity and broader business continuity and risk management aspects.
Organizations in the heavily regulated financial sector often face the challenge of effectively translating compliance rules into actionable guidelines for operational teams. Bridging the communication gap between compliance, risk management, and IT/Security operations is crucial for successfully implementing NIS2 and DORA. Traditional approaches may not resonate with operations teams, particularly when compliance professionals need more technical expertise to convey these requirements in a relatable manner. This disconnect creates a barrier between the rules that must be followed and the organization’s day-to-day operations, and the challenge grows when looking at cloud security regulations in financial services.
One participant highlighted: “Amongst the challenges for us was shifting the mindset from a policy perspective, namely from policy standards that had clearly been written in on-prem days where a file will must always sit in between you and the internet. That approach doesn’t really work for, say, S3 buckets. And so, working through those challenges ensures that we keep a level of control but also allow the teams to innovate and develop and take advantage of those cloud services.”
Regulatory challenges are commonly seen as a hurdle across industries, yet they also present opportunities for businesses to differentiate themselves. Although adhering to these regulations can be difficult, viewing them as essential guardrails can help organizations adopt a proactive approach. By embedding regulatory requirements into standard processes and embracing innovative thinking, businesses can ensure compliance and create a competitive advantage. When tackled strategically, regulatory compliance can drive business success.
Cloud security regulations in financial services
The drive to innovate and capitalize on the commercial benefits of a well-run cloud environment often clashes with pressures from cloud security regulations in financial services. Many organizations grapple with concentration risk as they often rely on a limited number of key platforms, raising concerns about market stability and resilience. Despite the emergence of new entrants, this issue persists and requires ongoing dialogue between industry players and regulators.
Given the critical role of financial sector infrastructure in market operations, addressing these challenges is essential to ensuring the long-term health and stability of the financial system: “Operation of the markets and the consequences if that fails for reasons of resilience or over concentration: I think that’s particularly one that comes to mind in FSI capacity,” one participant highlighted.
One participant insisted on two major pain points: “The first one is about the security of third-party components. Vulnerabilities in third-party containers are a constant problem. I’ve had the conversation over the last 20 years: the software being delivered is not secure. Then, the other pain point is software that’s developed on a vanilla cloud. And then as teams port it across, they forget that a lot of the policies, and configurations on the bulk of the cloud service providers the banks use are very strict. So, then you’re literally trawling through log files, looking to find out what policy has caused them there not to work.”
Looking ahead: future trends and considerations
Cloud security regulations in financial services will continue to thrive. To transform challenges into opportunities, a more collaborative and translational approach is needed to ensure compliance and effective communication between teams. This will ultimately foster a culture of shared understanding and responsibility in adhering to new regulatory standards.
So, we asked the panelists what change they would like to see happen that would make cloud security and compliance easier.
One participant highlighted the need for cloud service providers to refrain from giving in to fast releases at the expense of security features. Another added that “the task at hand is also to make things workable across different environments and to ensure we can operate just as well on GCP or Azure as we do on AWS.” The third panelist insisted on mainstreaming as-code approaches for policy and compliance; these already exist but are still scarcely adopted.
Get insights on navigating changes and ensuring compliance in the rapidly evolving world of cloud technology!