Today, many regulators classify cloud technology as a form of outsourcing, essentially putting the onus on institutions for their assets and the continuity of their services. But some say that the lines of accountability have been blurred since the shared responsibility model has been introduced by some of the biggest cloud providers.

The model is a contractual agreement between the cloud provider and an end user, which outlines how accountability is divided between the parties. It has been around for some time, according to those familiar with such agreements, but has taken on new popularity as trading firms increasingly move their operations to the cloud.

Banks and asset managers hope that this type of agreement could potentially pave the way to redirect some of the regulatory burdens on to the cloud providers.

“You have to come up with a different model in terms of how you assign accountability and how you demonstrate that nothing is falling through the cracks when you do that. That is a real challenge with the public cloud in particular,” says Tom Gilbert, global head of cloud, application and integration platforms at Deutsche Bank.

As the cloud is a broad term for a variety of services—including platform-, infrastructure- and software-as-a-service—providers have mapped out individual guidelines on who is accountable for what. In most cases, the cloud provider is responsible for the hardware and software components, including datacenters, servers, networks, and the virtual environment, whereas end users are liable for their data, platforms, applications, operating systems, and implementation of security checks. 

When negotiating the legal requirements of a contract, the logistics become even more complex when offloading critical control functions to the cloud. Traditionally, in the event of a security breach or technical failure on-premise, internal teams can assess systems, identify the cause and install security patches to prevent further incidents. But in this case, the security controls are run and managed by the cloud provider.

“[Cloud] is another form of outsourcing, and from the regulatory perspective, it is the regulated firm that remains responsible for the security of its data and for its outsourcing arrangements.”

Nausicaa Delfas, Financial Conduct Authority

“Security teams would want to carry out forensics on an incident but the [server or virtual machine] they want to look isn’t there anymore. So, we need a different way of accessing the metrics and the data,” explains Gilbert.

However, those hoping for a silver bullet may be waiting for a while. From a regulatory perspective, at least, regardless of shared responsibility agreements, the buck still stops with the trading firm when it comes to cloud outages and cybersecurity incidents.

“It is another form of outsourcing, and from the regulatory perspective, it is the regulated firm that remains responsible for the security of its data and for its outsourcing arrangements,” says Nausicaa Delfas, executive director of international at the UK Financial Conduct Authority (FCA).

But while the evolving landscape pivots towards a unique model of thinking, lawmakers appear to be keeping watch and questions circulate on whether cloud providers becoming a regulated entity could be on the cards

“It is a really hot and evolving topic and regulators are still evolving their thinking and releasing new guidelines. So, we have to stay on top of what those guidelines say and if there are changes, we have to adapt to that,” adds Gilbert.

Over-reliance and Reversibility

On February 14, the Financial Stability Board released a report, titled ‘Fintech and Market Structure in Financial Services.’ It discussed how financial firms are turning to big tech providers such as Google, Amazon, and Microsoft to clamp down on inefficiencies and the overwhelming cost of legacy infrastructure. The report indicated that the accelerated uptake could expose a new form of risk regarding cloud concentration and over-reliance on the technology.

The FCA’s Delfas says that more industry-wide conversation is required to help resolve the concerns around operational resilience and cyber security when outsourcing to third parties.

“I think that the issue on concentration risk is one that we have to continue discussing going forward. The reality is that the cloud isn’t just one thing. There are many different arrangements between firms and cloud providers, and it is something that I think needs further discussion as to what the risk is and how it can best be managed,” she says.

Regulators are intent on ensuring banks and asset managers have a backup strategy where they can reverse engineer their deployed data and applications to the cloud. This includes events where corporate fallouts between a service provider and client occur, or in the unlikely scenario where a cloud provider goes into administration. 

“The regulators are always very concerned about those situations developing, where we are overly reliant on a single vendor or single venue, and so multi-cloud will let us offset that risk,” explains Gilbert.

Deutsche Bank is currently undergoing a global transformation project where it is migrating close to 85% of its IT infrastructure to the cloud. At the moment, it is leveraging Microsoft Azure and is looking to acquire multi-cloud capabilities. It has currently completed 43% of its migration and is, on average, moving at a rate of 1% per month. It is not the only institution undertaking such a project—Bank of America is also in the process of migrating around 80% of its operating systems to the cloud, and on the buy side, private equity giant Blackstone is undergoing its own cloud transformation project, even acquiring a cloud consultancy to help manage it.

As the technology advances and more of the industry warms to the idea of the cloud, the increasing volume of workloads, services and data will have to be considered. Firms will have to plan for future potential risks where it is necessary to pull back all operations onto an alternative venue.

According to Gilbert, firms will have to have dedicated cloud backups in the future due to the unsustainable costs of keeping proprietary datacenters and servers on standby. Another element is that pulling the growing volumes of data and functionality back to an on-premise infrastructure would require the procurement of wide-scale capacity which could take days, if not weeks to achieve sign-off.