Building Resilience in the Cloud

In 2019, AFME published its first paper on the adoption of public cloud in capital markets^[1]. Since then, the adoption of cloud has continued to progress, along with focus from policymakers and regulators.

Though the use of cloud and Cloud Service Providers (CSPs) offers a significant uplift in resilience and security compared to banks' on-premise environments, the regulatory focus continues to expand from concerns over the security of CSP platforms to the implications for resilience.

This focus has been part of a broader regulatory narrative covering outsourcing/third-party risk management, concentration risk, and operational resilience over the last three years. However, banks continue to use a wide range of criteria to assess their cloud resilience needs and identify solutions to mitigate these risks.

This paper, developed with members of the AFME Cloud Computing Working Group (Members) and in collaboration with Protiviti, explores two main solutions that often emerge in discussions between regulators and policymakers for cloud resilience^[2]. These are the portability of data/applications/workloads amongst different CSPs and multi-cloud strategies.

While banks increase migration to the cloud and seek to identify the appropriate solutions, there are concerns that recommendations towards portability and the use of multi-cloud to achieve outcomes sought by regulators (increasing cloud resilience and mitigating concentration risk) will introduce further limitations on adoption:

Portability poses significant technical limitations and a loss of differentiated cloud benefits as a mechanism for increasing resilience (e.g. limited benefit in a CSP stressed exit where a bank may have reduced or no access to its data, or limiting cloud-use to CSP foundational services only).
Multi-cloud strategies, while used for contingency and resilience, are primarily adopted for accessing unique services across CSPs. While multi-cloud can reduce concentration risk to some extent, the technical, process and resource complexity needed to support multiple CSPs can lead to decreased resilience overall.

Instead, regulators should support banks adopting a risk-based approach which would provide them with flexibility based on their usage and technical needs. This should involve the choice to adopt multiple complementary solutions for resilience, rather than specific solutions being mandated for all.

We have identified four areas where additional support from policymakers and regulators and engagement from CSPs can assist banks with the resilient adoption of cloud services:

Ensure regional and global alignment on cloud resilience and risk expectations;
Enhance information sharing and transparency requirements for CSPs;
Promote increased comparison amongst CSP service offerings; and
Encourage cloud cross-border data flows and storage.

AFME and its Members look forward to discussing the findings and recommendations from this paper with industry participants and continuing to support cloud adoption in capital markets.

[1] The Adoption of Public Cloud Computing in Capital Markets

[2] A definition of cloud resilience has been developed for this paper in Section 1 to explain its broader meaning beyond the two solutions discussed in this paper