ALPS blog

From Trend Micro

Cloud transformation in finance is picking up speed. In an interview, Kay Buchheister, Senior Executive Finance & Insurance at Trend Micro, explains how financial institutions can migrate securely and compliantly to the cloud.

Question: More and more banks are venturing into the cloud. Why has there been such a sharp increase in cloud usage in recent years? 

Kay Buchheister: Just like many other companies, most banks cannot and do not want to do without cloud computing any longer. After all, cloud applications are not only more cost-efficient, but also form the basis for sustainable business models of banks and financial service providers.

What opportunities does the cloud offer banks in concrete terms? 

Basically, it’s about modernising their own infrastructure – away from their own data centre towards flexible and scalable cloud instances. In many banks, cloud computing also has positive side effects: According to KPMG, more than half of the cloud users confirm that the use of the cloud makes a major contribution to digitalisation in the banking sector. This concerns both the digitalisation of internal processes and the development of new business models. We see that the digital transformation in a bank usually starts with a cloud project.

According to a recent study, 77 percent in the financial sector see the regulatory requirements for cloud deployment as a significant obstacle. What regulation are banks confronted with here and where does the challenge lie? 

Maintaining the security of corporate data is one of the highest priorities in the banking sector. The risk of compliance breaches and, for some operators, still unclear regulatory requirements are among the most common barriers to the use of cloud services.

In Germany, there are essentially three BaFin guidelines that set out the framework for banks and are intended to ensure compliance: BAIT (Bank Supervisory Requirements for IT), MaRISK (Minimum Requirements for Risk Management) and MaComp (Minimum Requirements for the Compliance Function). We see another challenge in the use of cloud solutions in banks in the high integration effort of the cloud services into the own IT architecture.

How must banks react to this? 

Banks would prefer to be completely free to decide which services they outsource to the cloud. In contrast to less heavily regulated industries, however, such an approach is not permitted in the financial sector, as outsourcing to a cloud provider falls under the requirements of BaFin. With its compliance requirements, BaFin primarily aims to ensure that the banks’ IT is in a secure environment and that the financial institutions do not collapse. In order to migrate securely and compliantly to the cloud, banks therefore need a reliable partner with experience in this special environment. As the world’s leading provider of hybrid cloud security, with some of the most important banks among its customers, Trend Micro is the ideal choice for this.

Are there differences depending on which cloud model a bank chooses?

Each of the available cloud models (public / hybrid / private cloud) offers advantages and disadvantages for banks. This concerns both migration and subsequent use in general. But ultimately, the same regulatory requirements apply to all models.

Besides compliance, cloud security is also one of the main challenges for banks. What do they need to do to protect their customers’ sensitive data from cybercriminals?

All banks have to deal with cybercrime. The entire industry is an extremely attractive target and is increasingly being targeted by criminals. That is why there are the strict requirements in the areas of security, legal compliance and prevention of economic crime.

If banks want to arm themselves well against future cyber attacks, it is imperative that they invest in cyber security. It will become increasingly important for them to have an (early) detection system for cyber threats to themselves and their customers. Furthermore, it will play a decisive role which banks are able to detect cyber security incidents at an early stage, deal with them as quickly as possible and report them to the responsible bodies. This is what we call “detection & response”.

Read here a best-practice example for successfully securing the cloud migration of a company in the financial sector.