Reading time 6 minutes
The short answer is of course yes, but we want to explain the aspects that should be considered and how you can achieve it, join us to discover it in this brief article.
Today’s world demands more and more hyperconnectivity, causing a continuous acceleration in the digitization of all kinds of services to meet the needs of users and stay within the market competition. One of the sectors that reflects this most clearly is the financial sector, which has been strengthened by the implementation of new service offerings thanks to technological innovations, especially those related to the integration of the cloud and apis, however, this has raised the question: is the cloud secure enough?
You may be interested in: Big Data: The best ally to know what is going on in your business
BigTech companies
The cloud service was born as a response to the wide demand of having applications within reach of companies and clients in a fluid, fast and efficient way, as well as to the demands of growth in the volume of data processing of the companies, being its main characteristic the wide availability and low cost.
See also: Big Data in the cloud: What stage is your company at?
This is made possible by computer virtualization, which allows access to a virtual computer that functions as if it were a physical computer with its own hardware; the technical term for this computer is virtual machine.
Virtual machines on the same server machine, when properly deployed , are separated from each other, so they do not interact with each other, and files and applications of one virtual machine are not visible to other virtual machines, even though they are located on the same physical server.
.png)
Likewise, virtual machines also make more efficient use of the hardware on which they are hosted. By running many virtual machines at the same time, one server becomes many, and one data center becomes a large number of data centers, which have the capacity to serve many organizations. Therefore, cloud providers can offer the use of their servers to many more customers at a very low cost.
Check now: Data migration through BigQuery and Google Cloud.
While in general, for most companies having a remotely similar infrastructure is almost unsustainable due to the high maintenance costs, in addition to the continuous bottleneck in workflows, BigTech companies have specialized in this and, being part of their line of business, have developed an expertise that allows them to maintain optimal workflows.
This is because they remove the burdens of maintenance and technical understanding from companies, allowing them to stay focused on their specialty, while the cloud providers take care of maintaining a secure and efficient server offering.
Fintech
For its part, the digitalization of financial services has accelerated at a dizzying pace, since the integration of these new technologies has made it possible to expand the portfolio of services, re-imagining banking to such an extent that visits to banking facilities are now virtually unnecessary for a large number of users.
.png)
This triggered a massive exodus to the cloud by multiple banking institutions, which alerted regulatory agencies such as the National Securities and Exchange Commission, who immediately set in motion a risk analysis, in order to ensure stable operations that do not harm the end users of these services.
You may like: Science, Data, Cloud and Rock & Roll.
This is because banking services fall under its regulations, besides being a point of special interest to avoid possible financial crises, under the premise of to find out if the cloud is big enough and secure, is that the regulatory body ruled as follows.
Cloud risks according to CNBV
As a starting point, there is a scarce supply of cloud services, since the main providers of these services are BigTech companies, in addition to being a relatively new technology, this potentiates the risks detected, which can be categorized into four areas of special interest:
- Business continuity.
- Blocking of suppliers.
- Concentration.
- Geopolitical risks.
Business continuity, within this category, the CNBV points out that in order to minimize risk it is necessary to use several suppliers in order to avoid depending on only one.
Provider blocking, in this section the regulatory body highlights the relevance of cloud service providers being able to revoke access instantly, in order to subsequently become a competitor offering financial services.
Now go: Machine Learning: Future and mainstay of online stores?
Concentration, within this guideline it is detailed that given the bargaining power and size of the BigTech companies, these monopolize the market, being few cloud providers, while the alternative offers, being little known and new in the market, represent security and reliability risks.
Geopolitical risks, this aspect has to do with the geopolitical regulations of the region where the provider’s servers are located. Service interruptions can cause major failures if they occur.
Now, as a general rule, most providers have a presence in several geographic regions and several data centers within each region, this reduces the risks of disruption, however, no matter how low the risks are, it is not impossible for them to occur.
Is the CNBV the only one concerned?
While the National Securities and Exchange Commission paints this picture, it is not the only regulatory body concerned about the risks of the cloud. In different parts around the world, various regulatory bodies have conducted their own analyses, such as in the United Kingdom, regulators have made public their concerns about the potential risks of the technology and have acted accordingly.
See also: The Power of Marketing in the Data Driven Era.
Fortunately, most regulatory bodies around the world have reflected a broad similarity in terms of their concerns and actions to regulate cloud migration to mitigate the risks and leverage the benefits of cloud migration.
Mexican Fintech Law
This is a legal provision intended to regulate the operation and functioning of financial technology companies in order to protect users.
Companies seeking to operate in the financial market must adhere to compliance with the different measures indicated in these regulations, which requires a plan of activities, implementation strategy and time.
Read also: Big Data, Retailers’ key to competing with Amazon?
Although there is good news , it is enough to cover the minimum requirements (related to finance, accounting, systems and information security) to be authorized by the CNBV to operate.
What are the regulations that a financial institution wishing to migrate to the cloud must comply with?
The general provisions issued by the National Securities Commission (CNBV) establish the authorization processes for financial institutions interested in contracting tertiary services for the performance of operational processes and/or administration of databases and computer systems.
There are two specific regulations: the one applicable to credit institutions (banks), as well as the one applicable to financial technology institutions or fintechs. Compliance with these regulations ensures CNBV approval for the use of cloud services.
.png)
With respect to the regulations applicable to credit institutions, we have the following:
Credit institutions
- Chapter X: Use of the Electronic Banking Service
- Section Four, Article 316, Bis 10 to 11
- Section Five, Article 316, Bis 13-16,18,19
- Chapter XI: Contracting with third parties for services or commissions
- Section One, Article 318 Section Three, Articles 326, 327 and 328
- Annex 52: Minimum operating and security guidelines for the contracting of technology support services
But is there any guidance on how to comply with these regulations?
Comprehensive CNBV guide for the safe use of the cloud
In reality there are a wide variety of guides published to adhere to the general rules of this regulatory body, mostly developed by the cloud providers themselves, however, the regulatory body did its own and published a guide that covers topics such as:
- Due diligence / Assurance of the cloud provider’s compliance with requirements
- Service monitoring / Assurance of operational expectations
- Outsourcing processes / Assurance of regulatory compliance by the cloud provider
- Confidentiality and Security / Ensuring confidentiality and security of data and applications in the cloud
.png)
- Audit and Access Rights / Assurance of data access and traceability of data
- Resilience and Business Continuity / Assurance of business continuity through a Disaster Recovery Plan.
- Portability / Ensuring the ability to migrate applications and data to another cloud, or to on-premise environments.
General minimum requirements to be authorized by the CNBV
Although the National Securities Exchange Commission (Comisión Nacional de la Bolsa de Valores, CNBV) guide addresses in depth the different aspects of interest to reduce risks, these are the minimum requirements to obtain the operating authorization from said organism.
- Governance hierarchies and corporate structure (i.e., having a clearly defined top management and management structure).
- Infrastructure and internal controls of operating, accounting and security systems, offices, and documentation with the respective manuals.
- Business plan.
- Protocol and policies for operational and information security risk management.
- Operational processes and customer authentication that establish consistent criteria for customer evaluation and selection.
- Risk and liability disclosure policies (so that your clients identify the risks they assume when entering into transactions with or through them).
- Fraud prevention policies and prevention of operations with resources of illicit origin and financing of terrorism.
- Annual financial statements audited by an independent external auditor.
Basic documentation to comply with regulatory standards
Organizational chart.
This document will help you to clearly define the responsibilities of each employee according to their job position and their relationship with information security. And you should not only consider the areas closest to IT, but also those of finance, human resources, accounting, legal, commercial, etc.
Information security policy
It defines all the security measures to be implemented to protect information in all its forms and media.
It should describe the guidelines of all practices to be formalized in a synthetic and general way, regularly including criteria for access control, HR security, cryptography, IT operations, supplier relations, vulnerability management, incident management, etc.
.png)
You must consider that it is a dynamic document, since it is continuously adapting to the needs and changes of the company.
Business continuity plan
Also known as Business Continuity Plan or BCP, it is a document that defines how a company will act to recover and continue critical activities in the event of a disruption.
It is key in terms of security, as it allows to act and restore operations in the shortest possible time. This minimizes the impact of losses caused by downtime.
This plan also integrates the DRP plan, disaster recovery plan, which defines the steps to be followed to recover the IT area.
Risk assessment policy and methodology
This documentation focuses on establishing the criteria for documenting the methodology used during risk assessment. Its objective is to ensure that everyone in the company can be organized under these same guidelines when measuring and assessing risks.
Some aspects that this documentation should contemplate are the following:
- Identification and valuation of assets: how resources should be identified and valued according to their level of importance.
- Risk assessment: how to classify risks according to their level of impact on the company.
- Acceptable level of risk: what types of risks can be allowed.
- Irrigation treatment: procedure to mitigate identified risks.
Information security officer and/or CISO
An Information Security Officer and/or a CISO should be appointed; whose role should be to align information security with business objectives and ensure the protection of the company’s data at all times.
Likewise, he/she will be responsible for overseeing regulatory compliance in information security and for generating and implementing appropriate policies for the area.
Incident management protocol
It should describe the step-by-step process for documenting, analyzing and resolving security incidents that may be detected in a company, making it easier to count on:
- A record of incidences, impact and frequency of occurrence
- Incident response behavior statistics.
- Information to improve control actions and policies.
Vulnerability management protocol
Similar to the previous document, it establishes a step-by-step approach to identify, assess and correct vulnerabilities detected in a company’s systems and applications. This document also categorizes critical resources and classifies vulnerabilities according to their risk level.
Vulnerability management is an ongoing process in IT that helps to keep technology platforms and infrastructure protected from potential cyber attacks.
Ethical Hacking Report
One way to provide greater rigor to the above points is to perform penetration tests, which consist of simulations of cyber-attacks on a company’s networks, systems and apps in order to find and exploit their vulnerabilities.
At the end, vulnerabilities are reported in order to remediate them and reinforce the existing security; a detailed report of the results is also made. In order for these tests to remain valid, they must be carried out in periods of no more than one year.
Infrastructure diagram
This should reflect the components, systems, apps, networks, databases, virtual machines and containers that make up the infrastructure, from the external to the most internal layer.
See also: Artificial Intelligence: The new threat to the Cloud?
Likewise, it must also show which security measures have been established in each layer of the infrastructure.
Cloud provider audit reports
Your cloud service provider, must demonstrate that it has some information security certification such as: ISO 27001, SOC 2, PCI DSS or GDPR, which endorses that it is permanently audited by a third party and complies with industry best practices.
How can Google Cloud & Amarello help me comply with this regulation?
Google Cloud, has a support process to support customers seeking to implement financial services in the cloud. Likewise, Amarello’s team of experts is highly trained and specialized to advise you in your transition to the cloud, ensuring full compliance with the requirements proposed by national and international regulatory agencies.
We align ourselves with the best market practices and innovate to ensure that you maintain a secure, sustainable, sustainable, scalable and accessible operation.
Check now: Cloud gaming, innovations and possibilities…
These are just a few examples of the many financial services companies using Google Cloud to accelerate their digital transformation and modernize their businesses.
HSBC
This financial institution uses Google Cloud to innovate its products and services by unifying data and enabling smarter use of its Big Data.
Scotiabank
It uses Google Cloud to create predictive and personalized experiences for its customers.
Max Life
They developed a chatbot powered by Google Cloud technology to answer customer questions and generate stronger leads.
ANZ
Improve your end-to-end regulatory and financial risk reporting processes using advanced data modeling with Google Cloud.
KeyBank
Implements AI and data solutions to generate flexible and personalized digital banking experiences.
In Mexico, Banorte has relied on Google Cloud by establishing an alliance to accelerate the bank’s digital transformation; while PROSA established an agreement with Google Cloud to improve its infrastructure.
Likewise, Actinver was one of the pioneers in modernizing its infrastructure with Google Cloud with the support of Amarello, is just one of our many success stories. success stories.
Google Cloud is the perfect platform for financial services organizations, thanks to its secure, scalable and reliable infrastructure, to help you meet regulatory requirements for data security, together with Amarello’s team you can deploy your solution in the cloud in an agile, easy and secure way. Contact us!
