How financial firms can turn cloud rules to their advantage

This article was first published in FT Global Risk Regulator

Supply chain risks

Financial institutions benefit from cloud’s scalability, cybersecurity controls and access to AI and machine learning. For the past decade, cloud has been the enabling factor behind financial product innovation. Cloud regulation or consultations on regulations are anticipated in the UK this year, which will encourage vital focus on digital supply chain risks: cloud cybersecurity and operational and concentration risks.   

Examples where financial institutions must increase the level of care when migrating include not ‘lifting and shifting’ legacy, unsupported applications with known security risks. Cloud migration does not solve underlying platform risks. If you took an engine from a 20-year-old car and put in a new car body, you wouldn’t claim you had a brand new car. So why is this commonly claimed for applications or services migrated to cloud?

We believe responding to the new regulations provides an opportunity to work with cloud partners and leverage the collective responsibility between financial institutions and providers to protect institutions’ and customers’ security, reimagine financial services products and operations, and more effectively manage digital supply chain risks.

Managing digital risks

Financial institutions must deal with technology knowledge aversion and embrace cloud service technology via tech-savvy leadership at the top, improved cloud provider engagement, and practical, real-life digital supply chain risk testing and remediation.

For example, on cloud cybersecurity, many organisations draw comfort from an annual ‘Cloud Penetration Test’ conducted at a known time and with a known set of tests. This provides false comfort with limited or no value. Malicious hackers do not contact banks or insurers, name the date and time of their attack, and avoid using advanced cyber-hacking tools because it might cause too much trouble or disrupt day-to-day operations.

When validating controls, financial institutions need to use better examples of real-life via disruption-free attack simulations and step up cloud technology contract procurement and management, cloud service single point-of-failure and failure root cause analysis, and critical service downtime and response planning.

The three steps financial institutions must take to prepare for upcoming cloud regulations and better manage digital supply chain risks are:

    •    increase their understanding of material third-party technology and contractual dependencies;

    •    invest in ongoing, adaptable holistic cloud security testing, reducing risk of malicious attack; and

    •    apply end-to-end cloud lifecycle rigour, creating stable platforms ready for the metaverse.

Cloud regulation 

Better cloud management starts with an accurate view of service usage and interdependencies. A coherent, updated service map can provide a meaningful analysis of concentration risks. This map should include: cloud services and their relationship to core business services; contracts and key terms, for example lead-time of cloud service changes; and architecture and third-party technology used to enable and innovate new services.

Financial institutions can then determine precisely where potential risks are, both internal and systemic, and then implement the right mitigation. This should include an assessment of the origin of cloud cybersecurity, operational and concentration risks; the creation of an effective, ongoing testing methodology; and the sharing of insights in a transparent way with regulators.  

Worst-case scenarios

Imagine for a moment a scenario in which multiple cloud risk factors – cybersecurity, operational, and concentration risks – are exploited simultaneously. Hackers have successfully used a publicised vulnerability, such as Log4J, in a legacy application on a cloud service. The hack has introduced ransomware, locking the ability to make payments via Swift and Bacs, and the contractual landscape means that backups are not taken regularly enough for a meaningful recovery, with recovery procedures untested. The global financial services’ system stumbles.

To prevent this, institutions must look both horizontally across the organisation and vertically down service providers, and work in partnership to mitigate common cross-platform vulnerabilities. The practical steps they can take in response include the creation of ready-to-go service replicas in alternative cloud regions that can be activated at any moment, and the delivery of well-designed code that is portable between locations and platforms, such as horizontally scalable containerised services. They should also run multi-vector cyberattack simulations to test for actual weaknesses, setting up ongoing actions to close cybersecurity gaps.

The future?

Financial institutions must not wait passively for new regulation. Shareholder value, capital markets integrity and customer confidentiality all need protection today. New asset classes including cryptocurrencies, non-fungible tokens and metaverse entities are entirely enabled by cloud.

Left unmitigated, the likelihood and impact of cloud digital supply chain risks continues to grow amid the ever-advancing technology landscape. All this time, financial organisations are missing out on being able to onboard fintechs more rapidly, gain first-mover advantage from properly managed, cloud-enabled financial services products, and being left behind as the digital metaverse starts to create its own trading mechanisms.

All this means financial institutions with robust risk management are best placed to translate regulatory compliance into commercial advantage. By managing cloud security risks effectively and taking these practical steps, financial institutions will be able to meet the needs of regulators, customers and set up their businesses to harness the future developments enabled by cloud.

Jamilia Parry, Scott Brown, Adam Stringer, Rahul Gupta and Paul Shore from PA Consulting also contributed to the article.