The Keys to the Cloud
Australian pension fund UniSuper, with around $90 billion in assets under management, recently found itself in hot water with customers when roughly half a million members lost access to their accounts for about a week, according to the news site The Guardian.
The service disruption wasn’t due to a data breach or ransomware attack. Instead, the company’s cloud provider — Google Cloud — inadvertently deleted UniSuper’s subscription. “This is an isolated, ‘one-of-a-kind occurrence’ that has never before occurred with any of Google Cloud’s clients globally,” wrote UniSuper CEO Peter Chun and Google Cloud CEO Thomas Kurian in a statement. “This should not have happened. Google Cloud has identified the events that led to this disruption and taken measures to ensure this does not happen again.”
The outage was so pervasive and long-lasting because the erasure of the company’s cloud also deleted the Google Cloud-hosted backup. The fund’s systems — along with “hundreds of virtual machines, databases and applications” — were lost; UniSuper relied on a secondary backup with another provider to help restore service.
Companies around the world have increasingly relied on the cloud to do business to improve productivity, profitability and decision-making. In a 2023 PwC survey, 78% of executives said their company had adopted cloud in most or all parts of their operations. And 90% of U.S. bank executives responding to a Crowe LLP and American Bankers Association poll in 2021 said their institution maintained at least some data, applications or operations in the cloud.
Banks work with third-party providers to deploy the cloud across their organizations — and too often, they lean on that provider to manage their data without considering who on staff could have access to it, says Ben LeClaire, a principal at Plante Moran. That could be a critical error. “Your data is your data. You're responsible for it,” he says. “The second anything happens to it, look at where the customers turn to.”
LeClaire says banks need to know who’s in control, and what their vendors can access and change. “What this event highlights, from a risk perspective, is knowing who's at the helm to make authorized or unauthorized changes,” he says. Are changes limited to a small number of the vendor’s employees or a large group of IT staff?
Requesting that information should be part of any bank’s due diligence process, says LeClaire. “The more people that have the right [to make changes], the more chances of even an honest mistake occurring. It really is about limiting that as much as possible.”
• Emily McCormick, vice president of editorial & research for Bank Director
|