- Amazon Web Services' (AWS) role in the Capital One data breach should prompt financial regulators to consider designating the three leading cloud providers — AWS, Microsoft Azure and Google Cloud — as systemically important financial market utilities, Reps. Katie Porter, D-Calif., and Nydia Velazquez, D-N.Y., wrote Thursday in a letter to Treasury Secretary Steven Mnuchin.
- All of of financial institutions, 100%, use cloud services in some capacity, the letter states, citing a 2016 McKinsey report. The three top cloud service providers own a 57% share of the market, according to ITPro Today.
- Regulatory enforcement of cloud service providers is insufficient, the congresswomen said, citing Federal Reserve examiners' April visit to an Amazon facility.
Capital One's breach impacted the personal information of 106 million customers and applicants, including their credit scores and account balances.
The intrusion was led by Paige "erratic" Thompson, a former AWS employee, who exploited a misconfigured web application to gain entry into the system. Federal authorities say Thompson also gained unauthorized access to 30 other "victim companies".
The breach, announced in July, heightened public awareness of the tech infrastructure that holds their data.
According to the letter, the Financial Stability Oversight Council must consider four factors when determining whether an institution is systemically important:
The aggregate monetary value of the transactions it processes.
Its relationships with other financial market utilities.
The effect that a failure or disruption would have on critical markets and the financial system at large.
The exposure of the company to its counterparties.
"Though the cloud service providers at issue may not process monetary transactions directly, their operational stability underpins an increasing share of banks' central functions," Porter and Velazquez wrote.
Bank of America, for example, aims in the next few years to deliver "80 percent of its technological workload" via the cloud, according to a 2017 Microsoft release. (Bank of America partners with Azure for its cloud services.) A disruption to Azure, then, would paralyze 80% of BofA's functions, the lawmakers said. Such an event would erode public confidence.
Porter and Velazquez further point to the use of cloud services by government agencies, citing a pending $10 billion Defense Department cloud computing contract. A failure there could be a threat to national security, they said.
The Bank Service Company Act gives the Fed limited oversight of nonbank vendors that provide the software to run banks' deposit and loan platforms, the letter said. But when agency representatives visited the Amazon facility, they were "chaperoned" by an Amazon employee, allowed to review certain documents on Amazon laptops but not permitted to take anything with them, the letter said.
"The perfunctory review of a handful of Amazon-selected documents over the course of a few hours, on-site, is not meaningful oversight," Porter and Velazquez wrote.
The lawmakers asked Mnuchin to respond by Sept. 15.
Meanwhile, Thompson, was denied bail Friday at a hearing in Seattle. A judge denied Thompson's request to be freed to a halfway house with a GPS tracker after prosecutors argued she was a risk to herself who must remain locked up while the case continues.