The recent Treasury Select Committee (TSC) report on IT Failures in the Financial Services sector highlighted the increased adoption of new technologies as an emerging risk to operational resilience – a core focus for UK regulators. A key element of this is the increasing reliance on Cloud service providers, as referenced by Mark Carney, Governor of the Bank of England, in a recent speech: “A quarter of major banks’ activities and almost a third of all UK payments activity are already hosted on the Cloud, and there are considerable opportunities for even more intensive usage”.
With this transition comes a new landscape of risk. This includes data sovereignty and market concentration, where certain Cloud services providers may become a “key point of concentration and present a single point of failure risk where an operational incident could have a widespread impact on the system”.
In order to address this risk, the TSC report suggests bringing Cloud providers who could pose a systemic risk to the financial services sector under the watch of financial regulators. It also went further, in suggesting it could classify Cloud services as being critical national infrastructure.
Arguably, the EU’s Directive on the security of network and information systems (NIS), introduced in July 2016, is one attempt at achieving just this. The Directive introduces a national regulator and a clear set of requirements that must be met on an annual basis to demonstrate that the providers are managing the security of their services appropriately. In the UK, the ‘Cloud regulator’ under the NIS Directive is currently the Information Commissioner’s Office (ICO).
But the challenge with the NIS Directive has been the complexity around how Cloud providers are structured. To be regulated by the ICO, Cloud providers must have a head office in the UK or have a nominated representative in the UK. However, prevalent providers serving the UK market often have their head offices based in another EU country, so are under the oversight of the local regulator rather than the ICO. Additionally, if registered with the ICO as a ‘relevant digital service provider’ in the UK, Cloud providers also need to inform the National Cyber Security Centre of any breaches and are subject to fines and judgements under the NIS Directive.
The global nature of the Cloud invariably introduces discrepancy between where a Cloud provider is based, and which markets a Cloud provider serves. This could lead to a source of further regulatory fragmentation and complexity, if Cloud providers serving financial services further fall under the oversight of financial regulators.
For example, if a Cloud provider that is headquartered in an EU jurisdiction but is providing key services for a UK bank suffered a breach, which regulator would they inform first? Under which regulation does their compliance duty lie with first and foremost? And under the common ‘shared responsibility model’ that covers all Cloud providers – where the responsibility for certain aspects of the services is shared between the customer and the Cloud provider- how do the regulators know where to draw the line? Indeed, the business case for migrating services to the Cloud may well face renewed scrutiny should there be increased levies for supervision and enforcement activities on Cloud providers, notwithstanding the expected legal challenges that would accompany any such move.
The reality of this is that new regulation may not be quite the answer it first seems. Measures that aimed at improving operational resilience in financial services may have the unintended consequence of hindering the financial industry’s move to a more secure and efficient Cloud infrastructure.
The Cloud encapsulates the global and symbiotic nature of financial and technology sectors. To maximise the value of the Cloud, a more coherent regulatory landscape is called for, and this requires a wider coordination between different regulators, both across sectors and across countries.