How financial services institutions can securely drive innovation and reduce risk in the year ahead
We have seen cloud computing experience exponential growth over the last few years. As this trajectory continues into 2024, we expect enterprises to simultaneously balance innovation with risk management and meeting the growing demands of regulators, which include managing and mitigating cloud concentration risks and operational resilience. Without a robust strategy and approach to workload and data placement decisions that takes into consideration criticality of services, resilience and security, firms may inadvertently increase their dependency on a single cloud service provider and ultimately slow progress on innovation goals. This is why it is vital for enterprises to continuously work to strengthen their approach to operational resilience in a way that is consistent with regulatory guidelines, and their firm’s risk appetite. Operational resilience is paramount for enterprises as an outage from a critical cloud provider can single-handedly halt business operations in its tracks and moreover, has the potential to result in long-term damage to brand reputation. Enterprises cannot afford the risk of placing all their eggs in one basket, or in this case, storing all of their data in one cloud as it is crucial for them to keep operations securely running at all times. As no enterprise is immune to these repercussions, leveraging a hybrid, multicloud approach can be advantageous in accelerating innovation without compromising business continuity, performance, and resiliency. Cloud computing market draws attention of regulators We have seen regulators across the globe raising concerns on addressing third- and fourth-party risks in recent years, and especially over the last few months. Organizations in highly regulated industries, such as financial services, increasingly rely on the availability of third-party technology providers to support business-critical operations. These organizations are under pressure to rapidly modernize as they need to drive growth and performance in a landscape rife with new, nimble, digital competitors who are rewriting the rules of engagement. For example, banks are partnering with both fintechs and cloud providers to help modernize products and services to provide customers improved access to checking accounts and access funds. Delivering this hyper-personalized customer experience often includes securely processing, collecting, and managing highly sensitive and confidential information of each individual customer. This is an example of why regulators are implementing stringent compliance standards to ensure trust, privacy and accountability are upheld during the cloud journey. Financial institutions have traditionally considered concentration risk from an internal perspective and managed it individually with vendor assessments and supply-chain risk management processes. However, in a highly interconnected and interdependent hybrid multi-cloud ecosystem, the breadth and depth of what financial institutions must consider from a risk perspective needs to expand. In the US, the Department of Treasury released a cloud report earlier this year that examined the challenges the financial services industry faces in adopting cloud-based technology. While in Europe, in addition to increasing expectations by UK financial services regulators on critical service providers and DORA, the UK cloud market has recently come under scrutiny as the Competition Markets and Authority (CMA), is launching an investigation to gain insight into cloud competition concerns. We view this as a poignant reminder that regulators are doing their job to make sure the safety and soundness of the financial services sector remains intact and it is incumbent upon the enterprise, software companies (fintechs, SaaS, etc.) and cloud service providers to build and sustain trust of consumers in our ecosystems. It is important to note that responsible and practical regulations can pave the road for strengthening enterprise cybersecurity practices and operational resiliency. Managing and mitigating cloud concentration risks Beyond the potential risks of negatively impacting resiliency, cloud concentration can also pose as a roadblock to the possibilities of accelerating innovation for enterprises. The ability to leverage the best of multiple cloud providers allows enterprises to utilize the unique differentiators of each provider to help further their mission of modernizing business operations by securely collecting, processing, and managing data for an enhanced, customer centric experience. As enterprises carefully evaluate and choose where they will place their critical workloads and data, it is important for them to consider the security, controls and resiliency built into their workloads that are deployed on each cloud platform; especially for those in highly regulated industries managing highly sensitive data. It is also important to understand that leveraging multiple cloud platforms disparately can lead to complexity and a lack of interoperability, creating disconnected systems or a “Frankencloud.” A Frankencloud can pave the way for an environment that allows malicious actors to gain insight into an organization. As potential security gaps can cause third- and fourth-party risks to loom, it’s especially critical when taking a hybrid, multicloud approach to design a cyber resiliency strategy with a single pane of glass to gain a holistic view of potential risks and to mitigate complexity. This is why partnership execution is critical among enterprises and cloud providers to ensure alignment on security and resiliency goals from the outset of leveraging hybrid, multicloud environments. Fostering a community of shared responsibility Enterprises are finding the need to move faster in building collaborative ways to securely manage and move data with the flexibility to build and deploy any workload, anywhere – with minimal downtime and maximum security. However, they should not only choose cloud service providers based off their modernization needs but should select ones that are evolving their platforms to remain in adherence to changing compliance standards and threat landscape. But just like anything else, if a hybrid, multicloud environment is not operated correctly, there will always be risks. Cybersecurity and resiliency need to be top priority as enterprises embark on their cloud journey. After all, cloud is not a destination – it’s an enabler for accelerating innovation. There is a shared responsibility among all of us to build trust in the hybrid, multicloud journey to securely accelerate innovation. It takes all of us in the cloud community along with enterprises and regulators to manage and mitigate the challenges associated with the complexities of innovation and regulation.