Balancing act

The UK’s approach to operational resilience and cloud services: balancing support for digital innovation with operational resilience?

The much-vaunted shift to the cloud (a development intended to deliver significant cost savings and allow for easy scalability) brings with it a significant risk of systemic market failure as firms outsource business continuity responsibility to a small pool of major multinational tech players. And with part of their delivery also dependent on a decentralised network of data centers and third-party service providers, a small outage at any link in the supply chain can have a significant ripple effect across the whole economy.

Studies examining the costs flowing from a cloud provider outage estimate global losses ranging from USD 4bn-53bn (for an outage duration of between 0.5-3 days

To set the scene, consider the sheer size and reach of the global cloud market.

In 2021, 5 Infrastructure as a Service (IaaS) providers accounted for over 80% of the market^[1]. Nearly two-thirds of cloud infrastructure spend was captured by the world’s top three hyperscale providers.^[2]

It is therefore unsurprising that regulators are expressing disquiet about the consolidation of the world’s digital ecosystem in the hands of a small cohort of companies. In 2020, Bank of England research indicated that ‘over 65% of UK firms used the same four cloud providers for cloud infrastructure services.’ Regulators worldwide are now using policy tools to temper dominance in the cloud market, increase operational resilience and limit harms arising from a heavily concentrated cloud service provider marketplace.

Global regulatory landscape

The EU’s proposal for a new Data Act mandates greater interoperability and data portability (and may limit or prohibit fees being charged when consumers switch service provider);
Gaia-X, a European initiative for a common software and governance framework for cloud and edge services;
The US House Judiciary Committee’s final report on the Investigation of Competition in Digital Markets. Its proposals to restore competition in the digital economy include introducing structural separation and prohibition of certain dominant platforms from operating in adjacent lines of business, non-discrimination requirements, interoperability and data portability requirements, and prohibitions on abuses of superior bargaining power; and
the recently launched Ofcom cloud services market study.

Risks

Studies examining the costs flowing from a cloud provider outage estimate global losses ranging from USD 4bn-53bn (for an outage duration of between 0.5-3 days), and losses for the largest US firms (corporates and financials) at around USD 10bn for an outage of the top three cloud providers lasting between 3 and 6 days.^[3]

UK approach

As I write, the UK’s Prudential Regulation Authority has an open consultation (closing on Friday 23 Dec) on critical third parties. This followed a June 2022 UK Treasury policy paper examining the role that ‘critical third parties’ play in the financial services infrastructure.
Given the potential for significant disruption (and increased financial stability risks) in circumstances where many firms rely on the same third party, the Financial Conduct Authority (FCA) is likely to be granted direct oversight over certain key services provided to the finance sector. Service providers may also be required to meet minimum resiliency standards and make increased information disclosure to the regulator. It is widely anticipated that the power to designate businesses as ‘critical’ third parties will target in large part the major cloud providers. How far this will require the largest cloud providers to open their doors to regulators remains unknown, although the FCA may be granted powers to enter premises (with a warrant).

Both the EU and the UK are revising the Network and Information Systems Regulations (NIS), again to tighten up perceived gaps in cybersecurity defences. The UK is focusing on supply chain cybersecurity risks, in particular, those posed by the mass adoption of managed services. Managed service providers (MSPs) have the ability to access the networks of thousands of other companies. A vulnerability in one such service provider then risks exposing the networks of all its customers and potentially jeopardises the running of critical infrastructure – a classic ‘weakest link’ effect. The UK will therefore extend current NIS measures to MSPs, with fines for non-compliance and increased incident reporting. The EU’s approach is sector-based, expanding the remit of NIS to cover all medium and large organisations across a number of sectors, as well as addressing cybersecurity of the ICT supply chain, covering business-to-business ICT service management. The UK also launched a May 2022 consultation on the UK’s data storage and processing infrastructure, covering cloud platform infrastructure and MSP infrastructure.

Conclusion

The UK’s reform proposals reflect a deepening regulatory interest in managing the UK’s reliance on third party processing services and large-scale data storage to deliver essential services. But financial service firms cannot afford to be complacent and assume responsibility for managing this type of risk has been outsourced to regulators. The two pronged approach will involve more scrutiny of service providers’ service offerings and increased regulatory oversight, whilst their financial services customers will need to continue to demonstrate they have appropriate operational resilience measures in place.

[1] June 2022 Gartner figures.

[2] Canalys analysis for 2022.

[3] See ESMA paper from 2021, here.

Author

Marcus Pearl

Published date

18 Jan 2024