This message was posted by a user wishing to remain anonymous
Good morning. I recently attended virtual CSA's Financial Cloud Security Summit which reminded everyone of cloud complexities and the top reasons for senior leadership is concerned in cloud security and configuration issues; as well as outcomes like tenant's seeing other tenant's data.
My new biggest concern is the lack of transparency or formal outside verification on whether a cloud security gap is closed following an initial notification of an potential issue, and then the "all clear" unofficial statements by TPSP where your firm may be a tenant.
1. What is your opinion on steps to take to verify that a third party service provider who initially reports an issue, and latter says your data and tenancy was not affected?
2. Is anyone aware of a cyber forensics service that can economically engage the third party in confidence (on our 'dime') and issue an opinion that we are safe?
3. What are the long term implications? What happens when growth pushes aside safety and security for progress?
4. Will AICPA or CSA take on control verification for continuous cloud configuration and security?
This is greater concern based on the CSA discussions on flaws in cloud-based TPSP; as well as greater risk that AI-enabled attacks and potentially AI-enabled software life cycle induced exposures and vulnerabilities.
For those interested, please see LINK TO REPORT: Cyber Resiliency in the Financial Industry 2024 | CSA