How can the financial services sector tackle cloud concentration risk?

The use of cloud computing by financial institutions has significantly increased in the last few years, a trend that was further accelerated by the COVID-19 pandemic. In the next few years, financial institutions will need to continuously balance the pressure to innovate quickly while managing risk and combating financial crime.  According to Synergy Research Group, the four biggest cloud service providers (CSPs), Amazon Web Services, Microsoft Azure, Google Cloud and Alibaba Cloud, account for around 70% of cloud computing global revenues. As financial institutions continue to consume more cloud computing services from the same pool of CSPs, there is a systemic risk that a significant portion of the world’s banking services will be concentrated on a few public cloud platforms.

Why is cloud concentration risky?

The big CSPs have suffered outages in recent years. The stakes for financial institutions rise exponentially if there is a service interruption at a CSP, as they begin to run more of their critical business functions in the public cloud. A report from Lloyd’s of London and AIR Worldwide provides some insight and estimates on the potential losses from a major cloud services outage and these are large numbers. According to the report, an outage at one of the top three public cloud providers in the U.S. for three to six days, could result in total losses of up to $15 billion. 
In addition, there are many smaller and mid-sized financial institutions that outsource critical banking infrastructure and services to few ‘software-as-a-service’ big tech firms that usually tend to run on a single cloud platform. This can result in cascading problems across thousands of institutions in the event of an outage at one of these big CSPs. 

How can financial institutions tackle this risk? 

There are a few risk mitigation measures finserv organisations can take. Let’s explore them here:

Adopt hybrid multi-cloud strategy

Moving to a hybrid multi-cloud approach where data and applications are distributed across multiple CSPs simultaneously. This increases performance, application resiliency and reduces the risks of relying on one cloud platform provider. In the event of an infrastructure meltdown or cyberattack, a multi-cloud environment can provide financial institutions the ability to switch providers and to back up their data.

Build an outsourcing register

• The financial regulators in every country will need powers that allow them to set requirements and expectations on financial institutions to develop and implement an operational resilience framework. This will need to consider both firm-specific and systemic cloud concentration risks.
• The financial institutions should be required to ensure that their contractual arrangements with CSPs allow them to comply with their operational resilience framework that includes areas such as data security, business continuity and application resiliency.
• Regulatory authorities will require financial institutions to periodically report all functions outsourced to the cloud. Financial institutions should gradually build an ‘outsourcing register’ to track critical business processes and functions that are reliant on CSPs.

Build a compliant and secure software supply chain

In order to safeguard the financial system from evolving cyber-risks, vulnerabilities will have to be identified and addressed at the lowest common denominator – operating system and application software packages need to have long-term security patching and updates. As an example, Ubuntu Pro (currently in public beta) from Canonical provides 10 year security coverage for thousands of open source packages beyond the main operating system. 

Transformative innovations in financial services will require financial institutions to build modular, cloud-native applications utilising cloud computing infrastructure and services from CSPs. It is imperative that financial institutions innovate without compromising on compliance, security and support requirements that shall mitigate cloud concentration risks to a certain extent. 

Financial institutions will have to work closely with big CSPs and their supply chains to ensure that there is non-stop security for critical, high, and medium Common Vulnerabilities and Exposures (CVEs) with expanded coverage for more software packages that are used by financial services applications. 

In order to analyse the financial stability risks associated with cloud concentration risk, there is a need to understand the linkage dependencies between CSPs, their supply chain and financial institutions. Financial institutions will need a unified security and governance framework to identify, monitor and address crucial issues in data management that are critical for management of risk exposure across hybrid multi-cloud environments.

Conclusion

In the next few years, financial institutions will continue to adopt new technologies, including the use of public cloud computing to keep up with regulatory and industry demands.  

To address cloud concentration risk while managing the demands of digital transformation, legacy modernisation, competition and regulatory compliance, one of the big levers that financial institutions could use is to adopt hybrid multi-cloud strategies. This approach will help financial institutions to have a unified and consistent approach to infrastructure management, reduce risk and address regulatory compliance challenges, unlock innovation and extend geographic reach while at the same time reducing the cost of unused digital capacity. All the while, they should build an outsourcing register to take heed of cloud concentration risks and keep a closer eye on security and software provenance.

Further reading:

• Finserv hybrid cloud strategy – it starts with Linux
• Finserv open source infrastructure powers digital transformation
• Fintech infrastructure and hybrid clouds
• Cost optimised private cloud for financial services

Image by rawpixel.com on Freepik