“Financial institutions should establish a shared responsibility model with the hosting vendor that clearly lays out expectations and who is responsible for what,” Larkin says. “The appropriate cyber protections and terms should be noted in the contract, and the vendor should highlight their cyber controls and commitment to follow regulations and laws within the contract. Ensure the vendor is willing to assume a reasonable amount of liability and provide the appropriate notification and incident management procedures in the event of a data breach. Also, depending upon the type of vendor and their risk rating, look for service-level agreements with financial implications if they are not met.”
Similarly, Larkin says, ensuring that a hosted-solution vendor has spelled out that it has the appropriate technical controls around data can allay any concerns a financial institution might have about losing data when it is not located on its premises. “Financial institutions should ensure they are requiring data encryption, audit logging, and the appropriate perimeter controls within the hosting environment - to name a few,” Larkin says.
“The biggest message is that you cannot sign a contract with a hosting provider and walk away,” she says. “Using a hosted solution does not relieve the financial institution from the responsibility of protecting data. Make sure you have a strong relationship with the provider and hold them accountable, and be aware of who has access to your data and your environment.”
Financial institutions that do move away from on-premises technology to hosted solutions benefit from knowing that the vendor is now upgrading the software (often behind the scenes) to make sure everyone is using the correct versions, and the vendor is taking care of server requirements. The IT team is able to shift that time to other projects, perhaps on innovation that can improve the customer experience or better manage operational or credit risk, or improve efficiency.
“If a financial institution works with a hosted solution that has the appropriate resources for implementation and ongoing monitoring, and has the appropriate experience and client base, it will be able to keep the financial institution running smoothly throughout the transition – and beyond,” says Larkin.
To take advantage of the efficiencies and security tied to a hosted solution, financial institutions may simply need to reallocate spending from on-premise infrastructure to software and systems that are web-based; no increase may be necessary. This adjustment of spending and mindset makes it possible for the bank or credit union to focus on the business of banking and its critical strategic goals, whether those are growth, creating better customer experiences, or something else.