The bank may be subject to various regulatory actions if it fails to perform proper risk management of its relationship with a third-party cloud service provider. These include, but are not limited to, formal orders that limit bank activities, require specific remedial actions (audits, written plans, increased board oversight, etc.) and possibly impose civil money penalties. The Office of the Comptroller of Currency has imposed civil money penalties in excess of USD 50 million on banks for failure to properly manage the decommissioning of a third-party cloud service provider and for failure to establish appropriate risk management for migrating its technology operations to the cloud.

Numerous cases cite violations of Securities and Exchange Commission ("SEC") Rule 17a-4. These involve both SEC and Financial Industry Regulatory Authority ("FINRA") enforcement matters, as well as the results of routine examinations of broker-dealers. Typically, the findings stem from failures to maintain data in the appropriate format or for the requisite period, and do not implicate cloud service providers per se. The FINRA also routinely checks for deficiencies in connection with firms' failure to file the required undertakings.

Outside the realm of enforcement, the SEC's Division of Examinations has focused on vendor relationships (including cloud-based vendors). Examination questions have focused on due diligence prior to outsourcing data to a cloud service provider and processes for the ongoing monitoring of vendors, understanding vendor controls and settings, and the nature of the agreements between the broker-dealer/investment adviser and cloud service provider.

The Division of Examinations has also noted its focus on information security issues generally, in both its 2020 Examination Priorities and, shortly after that, its Cybersecurity and Resiliency Observations Reports. 

On 3 January 2020, the Commodity Futures Trading Commission ("CFTC") issued two cyber threat alerts regarding the hacking of approximately 12 cloud service providers. While no specific sanctions were levied against CFTC entities, the CFTC required regulated entities to disclose whether they were affected by the hacking.