Regulators have been asking for years whether banks' use of a narrow set of cloud providers creates a systemic risk to the financial system.
Now the theory will be tested in public view as Democratic presidential candidate Sen. Elizabeth Warren, D-Mass., has asked the Federal Trade Commission to explore Amazon's role in a recent security breach that happened at Capital One.
It is another significant step toward a very public discussion of how cloud giants receive regulatory oversight, and another strategic move by legislators to highlight the systemic importance of cloud service providers to the wider financial sector.
In Capital One's case, a former Amazon employee exploited a loophole in the configuration of the firewall for an application built on the cloud that allegedly allowed her to access personal information of 106 million Capital One customers and prospects.
As in most breaches that involve a cloud service provider, Amazon has sought to stay at arm's length from the problem. Amazon told The New York Times shortly after the incident that its customers fully controlled the applications they built and that it had no evidence its services were compromised. Capital One also said the breach was the result of a misconfigured firewall within an application built on the cloud, not a flaw of the cloud service itself.
Keeping that distance has been in the interests of both the banks and the cloud providers. Banks build very complex infrastructure and vast information databases on the servers they rent from the providers, and because of a complicated global mix of privacy and cybersecurity rules, they want the fewest outsiders possible to have access to it.
Giving a third-party cloud provider such as Amazon, Microsoft or Google the ability to "fix things" at will, with full access to bank data, would expose the bank to security and privacy problems as much as it would expose the cloud provider to liability.
So instead, the preferred arrangement has been to give banks complete autonomy over what they build and run on these cloud services.
But regulators across the Western world, not only in the United States, have been growing increasingly concerned about how a cloud security breach could impact the financial sector.
After the financial crisis of 2008, the 2010 Dodd-Frank Act codified numerous institutions under the banner of "systemically important," aka "too big to fail," subjecting them to enhanced capital oversight and some additional cybersecurity oversight. Most of the "systemically important" institutions are banks or related entities, such as insurance companies.
But there is a third category of companies that are just as heavily regulated, known as "Systemically Important Financial Market Utilities." These companies are subject to heavy oversight because they help keep the wheels of the financial sector turning. They allow payments to go through and books to settle once markets have closed. They allow future trades to clear and credit card purchases to go through instantly. If they shut down, many other aspects of the financial ecosystem would stop.
Today, there are only eight SIFMUs:
Regulators and legislators have long kicked around the idea that cloud service providers have become integral to financial markets in the same way these utilities are and that a failure of the cloud could present the same, immediate shock to the financial sector as, say, a failure of the Clearing House.
In August, Reps. Nydia Velazquez, D-N.Y., and Katie Porter, D-Calif., suggested just that. They wrote a letter calling on the Financial Stability Oversight Council "to consider designating Amazon Web Services, Microsoft Azure and Google Cloud as SIFMUs under the Title VIII of the Dodd-Frank Act. A SIFMU designation would subject the tech firms to enhanced oversight by the Federal Reserve to ensure a cloud failure of a leading financial institution would not create a catastrophic risk to the nation's financial system."
In a separate August letter addressed to Amazon CEO Jeff Bezos, Sen. Ron Wyden, D-Ore., said, "If Amazon's cloud computing services are found to be the common element in a series of high-profile hacks targeting large corporations, it would raise serious questions about whether other corporations and government entities that use Amazon's cloud computing products are also vulnerable."
They don't talk about it much, but suffice it to say the cloud service providers really, really do not want to be designated as SIFMUs.
Bringing in the FTC to investigate whether Amazon was responsible, directly or even somewhat directly, for the breach at Capital One starts to dissolve the "arm's-length" relationship between the cloud providers and their bank clients.
Suggesting Amazon could be responsible for an application firewall configuration issue, for which Capital One has already taken responsibility, moves Congress another step closer to saying the cloud platform is truly a part of the architecture hosted on it, for purposes of how the financial system runs. This view could hold that, like the Clearing House, the cloud service is a utility indispensable to the proper running of the financial institutions that build on it.
An Amazon spokesperson criticized Warren's letter, written with Sen. Ron Wyden, D-Ore., for conflating the client and host in this way, saying via email: "The letter's claim is baseless and a publicity attempt from opportunistic politicians. As Capital One has explained, the perpetrator attacked a misconfiguration at the application layer of a Capital One firewall. The SSRF technique used in this incident was just one of many subsequent steps the perpetrator followed after gaining access to the company's systems, and could have been substituted for a number of other methods given the level of access already gained."
Cloud service providers will be intently watching any response to Warren's letter.