Across the globe, cloud concentration risk is coming under greater scrutiny. The UK HM Treasury department recently issued a policy paper “Critical Third Parties to the Finance Sector.” The paper is a proposal to enable oversight of third parties providing critical services to the UK financial system. The proposal would grant authority to classify a third party as “critical” to the financial stability and welfare of the UK financial system, and then provide governance in order to minimize the potential systemic risk. The financial regulators (HM Treasury in coordination with the Bank of England, Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA)) will “be able to make rules, gather information, and take enforcement action, in respect of certain services that critical third parties provide to firms of particular relevance to the regulators’ objectives (which the regulators refer to as ‘material’ services). The paper references the cloud concentration risk concerns raised by the Bank of England in previous research. At that time, over 65% of UK firms used the same four cloud providers for cloud infrastructure services.
The US regulators have been examining the third-party risk topic in various forms including request for comments last year. Recently they have increased hiring activity to bring on staff to examine the cloud software providers. Cloud concentration risk, system market risk—it goes by various names—is not a new topic. Back in 2019, a letter to the US Financial Stability Oversight Council requested the major cloud service providers to be designated as systemically important financial market utilities.
And then there’s the Digital Operational Resilience Act (DORA) in the EU. DORA received provisional agreement in mid-May with the same overarching goal of helping to provide financial stability in the financial sector throughout the EU.
“…make rules, gather information, and take enforcement action, in respect of certain services that critical third parties provide to firms of particular relevance to the regulators’ objectives”
Are you ready for cloud concentration regulation?
So with this latest scrutiny and round of papers issued by governments, we are about to see a material shift in the regulation of critical third-party providers and specifically the cloud service providers. Rather than wait for a compliance mandate, it is critical for insurers and financial services providers of all kinds to consider—and prepare now—for the implications.
Insurers and financial services firms are very practiced in the requirements related to redundancy and disaster recovery. The regulations surrounding an individual provider and the ability to recover from a failure is largely mandated. Complementary to this, firms are highly motivated to ensure resiliency in order to provide the best service possible, maintain smooth operations, and retain customers. Nobody wants to read about their firm’s outages in the news cycle—it’s just never a good thing! And of course, when a firm relies on a third-party provider for services, software, or a hosted environment, a set of due diligence goes along with ensuring the resiliency of that solution. We all know the drill.
Systemic risk introduces a whole other layer of risk. It is not new either—the ripple effects of the markets are also well understood. Yet the regulation has still been focused on an individual firm’s approach. If the individual entities are strong, the markets will be more resilient. That is starting to change with the recognition that there is a critical dependency on third-party cloud service providers that are not regulated in the same manner. So what are we doing about it? What are we doing to get ready for new compliance measures when the regulators tell us we have too many eggs in one basket?
Market collaboration is required
The cloud service providers have become an integral part of the financial services landscape. It is now the responsibility of the entire ecosystem to manage the systemic risk that comes along with embracing cloud adoption. As a data platform company, we advise a hybrid data platform approach to balance the benefits of cloud adoption while addressing regulatory concerns related to cloud concentration risk (CCR).
Insurers and financial institutions can manage their strict data privacy, governance, and resiliency, while gaining flexibility and portability of data and applications to run their business efficiencies. Cloudera’s hybrid data platform facilitates the portability of data across any cloud to help ease regulatory concerns about concentration risk, and our Shared Data Experience (SDX) manages security and governance consistently across private and public clouds.
Cloud adoption is accelerating and providers are strengthening their infrastructures aligned with the important role they play—penetration testing, cyber security prevention, etc. Yet they are not fully under the scrutiny of the regulators at this time. This day appears to be getting closer across the globe. (And if they are in fact regulated in any specific jurisdiction, please leave me a comment.)
Hybrid cloud is a dominant deployment choice in the market—85% of enterprises report taking a hybrid cloud approach, combining the use of both public and private clouds. (Flexera, State of the Cloud Report, 2021.) It offers flexibility, choice and control. A hybrid data platform enables this flexibility and is recommended in anticipation of regulatory oversight.
Download our ebook to read more about cloud concentration risk.