As trading firms seek to leverage the operational benefits presented by cloud hosting and delivery, UK and European regulators are launching initiatives to improve risk management and ensure resilience of financial markets participants’ cloud-based activities.
For many trading firms, cloud offers a compelling solution to a growing number of use cases. The Association for Financial Markets in Europe (AFME) published a paper in November 2019 outlining 14 recommendations to help realise the full potential of public cloud computing across the capital markets industry.
But regulators are concerned about the cloud because of the high volume of cyber-attacks on financial markets technology. According to a report from the European Parliament, finance is estimated to be at three times more at risk of cyber-attacks than any other sector. Cloud providers, with high concentrations of financial services clients, could make tempting targets. The Financial Stability Board (FSB) weighed in with a paper on the risks of the cloud in December 2019.
Harmonization in the EU
The EU’s effort, ‘Digital Operational Resilience Framework for financial services: Making the EU financial sector more secure’, is seeking to create a more joined-up approach to cybersecurity across the region within the financial services industry. Impacting cloud outsourcing arrangements will be a new framework that will enhance rules around information and communications technology (ICT) and security risk management, work to harmonize and deepen incident reporting requirements across sectors, develop a digital operational resilience testing framework, demand better oversight of certain critical ICT third-party providers that “regulated financial institutions rely on”, and require more effective information sharing about security threats.
The 62-question survey that accompanies it asks firms about their cloud strategies, including the kind of Cloud approach the firm has, how Cloud usage fits within risk management, and ‘Did your Board and senior management establish a competence center for cloud in your organization.’
Pursuing resilience in the UK
UK regulators produced two papers in December that will impact cloud arrangements. The first is from the UK Financial Conduct Authority (FCA), Building operational resilience: impact tolerances for important business services and feedback to DP 18/04. The new paper follows on from a discussion paper published in July 2018. The paper specifically identifies the provision of cloud services to regulated firms as a form of outsourcing, and so firms will have to apply all of the operational resilience requirements for outsourcing relationships to these relationships. The paper, when implemented, would require firms to identify important business services, determine impact tolerances for potential disruption, undertake mapping and scenario testing, and provide a communications plan, a governance structure, and self-assessments.
The second is from the UK’s Prudential Regulation Authority (PRA) and was published in December. The consultation paper – Outsourcing and third-party risk management – identifies a wide range of requirements that will impact cloud outsourcing relationships. The paper also specifically calls out cloud arrangements – for example, “in the specific case of material cloud outsourcing arrangements, the PRA will expect firms to assess the resilience requirements of the outsourced service and data and determine which of the available cloud resiliency options is most appropriate. These may include multiple availability zones, regions or services providers.”
More regulatory focus on the cloud is coming. The paper notes that the Financial Policy Committee has “agreed to commence close monitoring of risks from the provision of Cloud services to the financial sector as part of its annual Risks Beyond Banking (RBB) review.” Too, the BofE says it will work with firms to “manage the risks associated with cloud outsourcing, including concentration risk and the lack of substitutability; and to understand any tipping points for systemic risks from wider adoption.” The BofE says it will also work with the Basel Committee on Banking Supervision to develop and adopt international standards on the Cloud.
Industry experts are saying that trading firms seeking to make more use of the cloud should make sure they are having the right conversations with the technology, risk management, and compliance teams around these potential new requirements. These requirements are part of a developing global trend in the way financial services regulators are approaching the cloud, and so it makes sense to build these expectations into any new project from the start – rather than having to retro-fit them in down the road.