EU financial regulators yesterday released a report advising new regulation to guard against vulnerabilities that may emanate from the financial sector’s growing dependence on several cloud service providers. The report states: “A limited number of big players dominate cloud services for the financial sector and there are concerns that their interconnectedness in the financial system could be a single point of failure if one were to be subject to a serious breach.”
The recommendation to the European Commission was to “consider the establishment of an appropriate oversight framework for monitoring critical service providers to the extent that their activities may impact relevant entities.”
As a cloud native platform that works with banks and financial service providers in the EU and globally, we have seen a significant uptick in the number of institutions moving to the cloud. They are looking for more flexible and cost-effective ways of operating in a rapidly changing market.
Considering the growth in the market, we agree that its prudent for regulators to monitor and stipulate provisions for cloud services providers. In our experience cloud providers like AWS have been very open and willing to engage with the regulators. It is through these engagements that we have been able to help several banks meet requirements to become the first cloud-based banks in several countries including the UK and within the EU.
A good option for financial institutions who are concerned about specific cloud service providers is to work with technology and companies that are cloud agnostic and have the ability to move between cloud providers (if needed) - like Mambu. Audit and control rights provided by Mambu allows Mambu clients to establish sufficient oversight over outsourced services and fulfill regulatory requirements.
In many instances cloud providers can offer significantly better protection than what can be executed by individual financial institutions individually, due to the necessity to address all their security and compliance needs for all customers, as well as having dedicated focus on continuously improving service characteristics. Cloud service providers like AWS offer highly available solutions that span multiple data centres in one region, and across multiple regions for resilience. Further pre-integrated security solutions that can be enabled with a few configuration changes, allows users to implement them much faster, and at a much lower cost, compared to on-premise deployments.
Many technology providers, that rely on public cloud services, including Mambu, are implementing a multi-cloud strategy. You can leverage multiple cloud service providers as part of the same service and ability to seamlessly switch to a different provider, located in the same or a different geographical region, without impacting the availability and the service level. Business continuity procedures can further involve escrow agreements to allow clients to host the Mambu service, including all data, in a data centre of their choice, should Mambu not be able to provide their service to customers anymore.
Cloud providers’ security controls ensure data protection at the highest levels but legislation aimed at preventing systemic risk is always welcome and we expect the industry to embrace this move.