The UK’s financial regulators will be given new powers to make onsite visits to cloud computing companies used by UK banks, including public cloud hyperscale providers Amazon AWS, Microsoft Azure and Google Cloud, as part of proposals by HM Treasury to bring “critical services” used by financial firms under greater scrutiny.
In a policy statement released today, HM Treasury warned that 65% of UK firms use the same four cloud providers. This poses a significant risk of disruption if one or more of them were hacked or suffered an extended outage, the treasury says, meaning these companies must be subject to heightened security checks.
Is regulation needed for cloud computing?
Steven Dickens, senior analyst at Futurum Research told Tech Monitor that increased scrutiny on these providers is a positive move. UK Banks and the companies that serve them including cloud providers, “need to be highly regulated for a reason,” Dickens says. “If they have an outage then the economy stops.”
Dickens says that as much as half of all UK cloud infrastructure is housed within just three-four data centres. This “concentration of IT into a few hyperscale data centres is good from a cost and connectivity perspective but bad from a resilience perspective,” he says.
He continues: “Systemically important financial institutions need to optimise for availability and security, arguably more so than they do for cost and flexibility. As banks look to digitally modernise their operations they need to take a balanced view of workload placement and always be aware of the concentration risk of the datacentres when they place their workloads, rather than just which cloud provider they choose.”
Current regulatory powers ‘not sufficient’
Current powers held by financial regulators allow them to set requirements and expectations on financial institutions, which have been used to develop an “operational resilience framework” that third-party suppliers like cloud computing providers for banks must comply with.
However, “these powers are not, by themselves, sufficient to tackle the systemic risk that disruption at a third-party providing key services to multiple firms could cause,” treasury officials warned in a statement today.
“In particular, no single firm can manage risks originating from a concentration in the provision of critical services by one third party to multiple firms – for example, if these services cannot be easily restored or substituted promptly and without undue costs and risks in the event of the third party’s failure or disruption,” it said. “If many firms rely on the same third party for material services, the failure or disruption of this ‘critical’ third party could have a systemic impact across the financial sector.”
The new powers outlined in the policy document will bring certain designated “critical” outsourced services under the direct supervision of the Bank of England and Financial Conduct Authority.
There will also be new secondary legislation to back this up, allowing the regulators to make new rules surrounding the provision of services, including making onsite inspections and taking enforcement action in the case of an outage or mishandling of data.
“This will enable the regulators to ensure that services critical third parties provide to firms in the finance sector are resilient, thereby reducing the risk of systemic disruption,” the Treasury statement said.
Dickens told Tech Monitor that IT departments within a bank are heavily regulated, and so hyperscale cloud providers carrying the same workloads should come under the same scrutiny. He points to the US FedRAMP bill, which allows for security scrutiny of cloud services used by the US public sector.
“FedRamp is a similar legislation in the US for government workloads and that has forced the hyperscalers to level up,” Dickens says.