In recent years, the road taken by U.S. regulators has begun to diverge from the path chosen by rule-makers in Europe and other parts of the world. Aspects of this divergence may soon have an impact on regulatory compliance in risk management.
In fact, whether this divide expands or narrows in 2021 could have significant repercussions on the complexity, cost and effort of organizational TPRM capabilities, asserts Santa Fe Group Senior Advisor Gary Roboff: “European regulators are increasingly requesting unbridled access to the premises, systems, personnel and records of cloud service providers (CSPs),” Roboff says of recent and proposed rules concerning data security. “In the U.S., many organizations would be amused if they were asked to make the type of CSP access requests required under EU regulations. In reality, the concentration of cloud services providers is so great that all but the largest CSP customers essentially operate in a ‘take it or leave it’ mode when signing contracts with those third parties.”
Differing regulatory requirements also have emerged in the U.S. In the absence of federal, GDPR-style data privacy regulations, more states are following California’s lead in developing their own data privacy and security rules. These issues feature prominently among the following 2021 TPRM trends and issues Roboff he is monitoring:
- U.S. regulatory divergence: The Shared Assessments Program recently responded to a consultation paper issued by the European Securities and Markets Authority (ESMA) that demonstrates how deeply — and differently — European regulators expect to scrutinize the operations of cloud services providers. Roboff says that ESMA’s proposed examination approach aligns with existing regulations from the European Banking Authority language. European regulators have a mandate to manage concentration risk, which motivates them to obtain a deeper, more current picture of third parties that provide cloud services. “Concentration risk has been a concern for regulators for years, but it’s become an even larger issue in the cloud services segment,” says Roboff, noting that regulators, especially in the EU, continue to issue guidance that gives them the ability to understand, at a greater depth, the organizations they regulate — and every one of their critical outsourcing relationship. “Financial services regulators want to be able to access third party inventories in machine readable form upon request,” Roboff continues. “For critical service providers, inventories must contain the names of other third parties who can stand-in if the primary service provider is unable to provide the contracted service. Regulators also want to see an estimate of how difficult a transition from one service provider to another would be as part of the inventory.”
- Cracking post-quantum cryptography: Like all of his Santa Fe Group colleagues, Roboff keeps tabs on emerging technologies, the third party risks they pose, and how standard-setters and policymakers are responding to those risks. “The reality is that at some point, quantum computers are going to have a field day with many of the cryptography regimes we currently use to protect sensitive data,” asserts Roboff, who monitors the National Institute of Standards’ (NIST) effort to standardize post-quantum cryptography (PCQ). The small-scale quantum computers now being developed by Google, IBM and other tech powerhouses represent early versions of machines whose processing power — as measured in qubits (units, unlike bits, that represent and process information as zeroes and ones at the same time) — will within the next decade or two make the speed and power of current supercomputers resemble 1970s-era handheld calculators. That extreme leap in processing power means that today’s stoutest public-key cryptography protecting critical infrastructure organizations could be easily cracked. “If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use,” according to a NIST statement. “This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere.” NIST’s PCQ, or “quantum-resistant cryptography, initiative is intended to “develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks.” NIST has been working with an array of public and private organizations from around the world to evaluate new encryption algorithms that can weather attacks from quantum computers. “At some point between 2022 and 2024 , you will see standards on post-quantum cryptography,” Roboff adds. “Once those standards exist, they likely will become mandated by a regulatory body.”
- The cloud responsibility gap: Before the quantum computing age arrives in earnest, Roboff would like to see a disconcerting oversight in the current cloud computing era corrected. “It troubles me that there is a real lack of guidance concerning outsourcers’ continuing responsibilities to monitor their own operations within a cloud services model,” Roboff says. “Current cloud services regulations seem to be focused on due diligence between the cloud service provider and the outsourcing client.” He points to data security and privacy breaches at well-known companies that occurred through the exploitation of misconfigured systems whose upkeep — even with those systems residing in the cloud — were the responsibility of the outsourcer. “Risk management employees within companies and even some regulatory agencies are not speaking loudly enough about ongoing outsourcer responsibilities to monitor this own operations within cloud services environments ,” Roboff adds. “The TPRM community should highlight ongoing data privacy and security responsibilities in outsourced environments.”
Risk managers also should keep in mind that misperceptions can linger for a long time when not corrected. After all, many readers still think Robert Frost’s The Road Not Taken, published more than 100 years ago, is all about taking the unconventional route — as opposed to the many implications of being forced to make a tough choice.