The Bank of England is preparing to take action on ‘cloud concentration risk’, which stems from the finance sector’s increasing reliance on a handful of cloud providers. The Bank wants to access more data from the cloud giants to assess their resilience, the FT reported this week. The cloud providers are unlikely to open up their operations willingly, experts say, and they do not fall under Bank of England (BofE) jurisdiction. But there are other ways to make cloud-based financial systems more resilient.
Cloud provides are ‘culturally averse to having foreign entities inside their data centres’. (Photo by tupungato / iStock)
What is cloud concentration risk?
Cloud concentration risk is the risk that emerges from the UK’s financial sector’s increasing reliance on just three hyperscale cloud providers. In 2020, two cloud providers, AWS and Microsoft Azure, accounted for around two-thirds of UK banks’ IaaS usage, according to a BofE survey. This means that a significant outage or cyberattack on one cloud provider could cause disruption both to individual institutions and to the financial system as a whole.
The use of cloud by UK financial institutions is governed by the Financial Conduct Authority’s rules on outsourcing. These require that institutions have “a comprehensive understanding and mapping of the people, processes, technology, facilities and information” that underpin their services.
Last year, however, the BofE warned that cloud concentration risk calls for new policy measures. These should include “an appropriate framework to designate certain third-party service providers as critical; resilience standards; and resilience testing,” it said.
These new measures could now be imminent. The BoE’s Prudential Regulatory Authority, which governs how the UK’s finance sector manages risk, is “exploring ways to access more data from cloud providers Amazon, Microsoft and Google, including on the operational resilience of their services,” the FT reported.
Will resilience testing reduce cloud concentration risk?
The hyperscale cloud providers are unlikely to open up their operations willingly, says William Fellows, research director at 451 Group. “They're culturally averse to having foreign entities inside their data centres,” he explains. “And that isn't going to change, whatever the regulators want.”
This could be problematic, as the US-owned cloud providers are not subject to UK's financial regulators. “Part of the problem that the [Financial Conduct Authority] and the Bank of England have is that a lot of these providers don’t come under their jurisdiction,” Sarah Kocianski, head of strategic insights at Founders Factory, told Tech Monitor last year.
Fellows believes it is more likely that a third party, such as data centre certification provider the Uptime Institute, could be mandated to inspect the cloud providers’ facilities.
The Bank of England might have more success addressing the way in which financial institutions use cloud services. It could, for example, mandate ‘resilience engineering’ practices, which aim to keep applications running despite cloud outages and other disruptions. These include so-called ‘chaos engineering’, first developed by Netflix, which tests resilience by triggering random infrastructure outages. “The thing about the cloud is that you always have to assume that something is going to fail,” says Fellows.
The thing about cloud is that you always have to assume that something is going to fail.
William Fellows, 451 Group
Another approach could be to mandate multi-cloud strategies. According to a global survey by Google Cloud in 2020, 17% of financial institutions then used multiple public cloud providers, but 88% of those who did not plan to implement such a strategy “in the near future”.
A study by researchers at technology vendors Cloudera and Simudyne simulated the use of cloud service providers by banks. It predicts that ‘settlement risk exposure’ – the chance that one or more party in a transaction fails to meet its contractual obligations – reduces significantly if the institutions use two or three cloud providers.
However, the model assumes that financial institutions can switch their critical applications between cloud providers with ease. This is not currently the norm, explains Fellows. “People are not moving applications and workloads between different cloud providers, minute-by-minute,” explains Fellows. Instead, multi-cloud strategies typically involve using different providers for discrete applications.
Furthermore, the BofE may wish to limit the regulatory burden on financial institutions seeking to use cloud. Google Cloud’s survey found that the investment of resources required for regulatory approval was the most common barrier to cloud adoption.