Counting on the Cloud: Implications of Third-Party Vendor Risk on Financial Stability in the Cyber Age

Client

Institute for International Finance

Advisor

Katheryn Rosen

Semester

Spring 2018

Final Report

View Final Report (PDF)

The Institute of International Finance (IIF), a global trade association, supports its financial institution members in the prudent management of risks and fosters financial stability. The objective of this Capstone was to assess through what transmission channels a cyber event in the cloud could cause financial instability.  The project evaluated how financial institutions are increasingly adopting cloud computing services from third-party vendors as they vie to remain competitive, innovative, and cost-effective, as well as the operational risks posed by migration to the cloud. Although cloud computing provides benefits in productivity and security, it also exposes clients of cloud providers to a variety of unique and escalated risks.

The IIF Capstone team was tasked with three areas of focus to evaluate the third-party risks associated with cloud adoption and their potential impact on financial stability. The team:

(1) assessed the cloud computing market and identified the current state of cloud adoption within banks;

(2) analyzed potential risks posed by employing the cloud and what mitigation techniques are used to hedge the risk; and

(3) explored the current regulatory environment applicable to third-party risk and cloud computing.

The end product provided the IIF principles-based recommendations on how banks, cloud service providers, regulators, and the federal government can structure their institutions or shape the overall environment to effectively mitigate operational risk when outsourcing resources to third-party cloud vendors.

To support this research, the team conducted interviews with stakeholders and experts from the financial sector, regulatory bodies, trade associations, insurance companies, consulting firms, and cloud providers. The team also reviewed industry and academic literature, US regulations and guidance, international statutes and rules, and reports from public sector standard-setting organizations.