The regulation driving multi-cloud adoption in FSI

Financial regulators are becoming increasingly worried of the implications the increased adoption of cloud can have as more and more financial services companies are gradually becoming more reliant on Cloud Service Providers (“CSP”). With the dominance of the space by Amazon, Microsoft and Google, the failure of any one of them could prove a single point of failure for a big portion of the financial system. Consequently, regulators have proposed regulation that aims to lower the systemic risk this dependance introduces into the system. This involves everything from doing proper due diligence and risk assessments of the CSPs to having architectures and plans in place that reduce operational risk and increase resilience.

Regulation in the EU and UK​

The EU Digital Operation Resilience Act (“DORA”) entered into force on 17 January 2023. This Act aims to improve the resiliency of the financial sector to Information and Telecommunications (“ICT”) related incidents. DORA creates a regulatory framework that seeks to ensure that the financial system has the required safeguards to mitigate cyber-attacks and other possible causes of disruption. It’s expected that companies addressed in this Act (from CSPs to crypto exchanges) will have two years to comply with this new regulation.

In the UK, the PS21/3 operational resilience regime took effect on 31 March 2022, introducing requirements for UK banks and insurers to be able to respond effectively when disruptions occur that would otherwise prevent firms from providing 'important business services' as usual and providing their services for a period of time.

Meanwhile, in the US a set of 'Sound Practices to Strengthen Operational Resilience' have been issued by regulatory authorities to large banks, which are expected to address risks to operational resilience such as cyberattacks, natural disasters and pandemics.  A second focus of US banking regulators is the ever evolving nature of cybersecurity risk, with a focus on increasing transparency on reporting during an attack and a firm's response.

Main considerations & Multi-Cloud​

Although regulation has reasonably shied away from becoming too prescriptive in how financial services companies run their operations and architect in the cloud, it has become more and more demanding in terms of resiliency requirements. Initially, the regulation didn’t lead to having organisations use a multi-cloud or hybrid-cloud setup, just with having multi-region or multi-availability zone architecture was enough to have the “required” resilience. However, with regulation now including topics such as concentration risk to a single CSP (i.e. DORA – Chapter V article 26), substitutability/portability (i.e. SS2/21 – Section 10) and robust exit strategies (i.e. DORA – Chapter V article 25.9), a multi-cloud or hybrid-cloud architecture now appears to be the future. Here a more detailed view on these concepts:

• Concentration Risk: Regulation wants financial services companies to assess, when contracting with an ICT third party, how dependent they would become such that the unavailability, failure or shortfall of service of the provider can endanger the ability of the financial entity to deliver its critical functions or suffer adverse effects.
• Substitutability: The ability, if necessary or desirable, to transfer the proposed cloud outsourcing arrangement to another CSP or reintegrate the services in other ways possible (e.g. on premise).
• Exit Strategies: Financial service companies need to ensure that they can exit their contractual arrangements (e.g. exit their current public cloud) without having disruptions to their services, limiting their compliance with regulatory requirements, or damage their business continuity and the quality of their service to customers.

These concepts combined indicate that financial institutions need to plan ahead and build in a way that provides them with the flexibility to fail over safely to another CSP and be able to move from one cloud provider to another without business disruption when needed.

Why A Portability Strategy Makes Sense​

The complex nature of architecting for the cloud leads to tightly-coupled deployment processes that are highly scripted and need a high level of engineering competence to write, maintain and oversee.  However this technical debt incurred by firms is a massive barrier to flexibility and being able to comply with the regulations at a reasonable cost.  Integrating a portability strategy into cloud deployments solves this problem by providing flexibility to deploy across any cloud with a low cost of change.  This means adopting toolsets that interface equally across any selected cloud - being able to switch platform provisioning easily, and to deploy applications and configure their networking easily.  

Building this from the ground up can be a very challenging task as building for multiple clouds is not an easy process. At Ori, we are helping solve this challenge for leading cloud-agnostic organisations with no-code deployment orchestration, and through support for multi-cloud provisioning with Multy.