How much risk do banks face with cloud computing?

Cloud computing is hardly a new service, but banks have traditionally been slow to adopt the technology. Many face significant regulatory hurdles, with security concerns and migration difficulties also major challenges. 

The overall adoption rate is on the rise in the UK, with 88 per cent of businesses using cloud services last year, according to the Cloud Industry Forum (CIF). Banks may now feel the benefits of the technology are impossible to ignore. 

There are three primary drivers of commercial cloud uptake in the country: 

• Flexibility of delivery;
• Operational cost savings; and 
• Scalability.

As a growing number of banks explore cloud services, financial regulators in the UK are beginning to focus on how well businesses are managing cloud-related risks. But why are financial institutions (FIs) at risk? What is the current regulatory landscape? And how can banks address weaknesses in their cloud strategies?

What are the main cloud risks?

A 2016 Accenture study revealed five major concerns that FIs have regarding the cloud. These are: 

Regulatory approval: Finance is one of the world’s most heavily regulated industries and many banks fear they won’t be able to migrate their systems into the cloud or could face substantial fines for any failings. 

Security: FIs encounter security incidents 300 per cent more frequently than other industries, a Websense report found. As such, many organisations are reluctant to have a third-party cloud provider storing their data. 

Data location: Some countries have strict regulations regarding data storage, meaning banks may not be allowed to use cloud providers in other countries. 

Outsourcing risk: As with any third-party service, the cloud means banks must relinquish control over their operational, procedural, security and privacy systems. Cloud providers may also use contractors themselves, exacerbating supplier risk. 

Migration complexity: Nine in ten businesses have problems migrating to the cloud, the CIF found. The average migration project takes 15 months, but larger established banks can expect far weightier timelines. 

These challenges may be keeping bank bosses up at night, but are they legitimate concerns? Let’s examine regulatory risk first.

The regulatory landscape for cloud computing in finance

In 2016, the Financial Conduct Authority (FCA) published new guidelines for cloud adoption within the sector. The regulator argued there is nothing stopping banks from implementing cloud services, including public cloud, in a way that complies with the organisation’s rules. 

The European Central Bank (ECB) also specifically warned fintech banks about the hazards of the cloud in a September 2017 report. Cyber security and outsourcing risks are particular problems for fintech businesses because of their technology-driven core, which means they are likely to adopt the cloud at an early stage of maturity. 

But a recent Financial Times (FT) report hinted that greater scrutiny could still be on the horizon. Not only is the Bank of England considering testing FIs’ resilience to cloud threats later this year, but also the institution’s Prudential Regulation Authority may be publishing updated guidance on the subject in 2018. These instructions could precede new regulations for cloud in finance. 

“Given regulators’ increasing concerns about operational resilience, they are bound to scrutinise systemically important firms’ use of the cloud,” David Strachan, a former regulator at Deloitte, told the FT.

Are banks right to be worried about cloud risks? 

Clearly, banks must consider the regulatory environment carefully before widespread adoption of cloud services. But what about the other risks we highlighted earlier? 

Security has remained a hot topic within cloud computing, although the consensus is that previous fears may have been blown out of proportion. Arguably, the major players in the cloud space – Google, Amazon and Microsoft – have encryption measures and security protocols that rival or even surpass what FIs can implement internally. 

Meanwhile, the European Banking Authority released instructions on best-practice cloud outsourcing for organisations in December. FIs were advised to take a risk-based approach by implementing adequate controls and measures to ensure third-party cloud provider relationships don’t fall foul of regulations. 

Data location shouldn’t cause too many problems for British banks; the country has access to many UK- and EU-based cloud services. GDPR and post-Brexit compliance concerns aside, data residency should be in line with regulatory requirements. 

Finally, cloud migration projects could potentially create issues for banks. The CIF survey revealed migration complexity was the most-cited challenge for organisations, and FIs face unique problems when giving data, processes and applications to third-party cloud providers.

Having the right cloud skills in place 

Banks may have been late to the party, but they are quickly ramping up their use of cloud technologies. Whatever cloud models FIs use, they must prepare for the risks involved, which requires a solid understanding of the technology across their corporate governance teams. 

A lack of internal cloud knowledge and skills is a problem for nearly one-third of businesses, according to the CIF. Do you have the right risk management team in place to handle the threats that cloud computing could pose to your organisation? 

Please contact me on 0207 936 8953 or via email at ls@barclaysimpson.com to discuss your cyber security and technology risk requirements today.