TORI Response to The Bank of England Statement on Cloud Risk
The Financial Stability Report, published by The Bank of England in July 2021, presented the Financial Policy Committee (FPC) view that additional policy measures are required to mitigate financial stability risks for Financial Service companies using Cloud service providers. TORI Global have experience of managing these risks and policy guidance that we expect The Bank of England to recommend and worked with them on their Industry Operational & Cyber Reslience report.
The Bank Governor, Andrew Bailey, recognised that the Cloud is increasingly an integral part of the financial system and that the model works. Aside from the concentration of pricing powers between a few U.S. providers, the reports primary concerns focused on the impact to financial security, whilst also recommending the need for cross-sectoral regulatory framework, cross-border co-operation in mitigating financial stability risks, stemming from operational resilience and third-party risk management between Cloud service providers and Financial Institutions.
Helping firms to continue their preparations in anticipation of new policy and legislation within the use of Cloud service providers. We think that the key considerations for firms can be broadly categorised as follows:
- Run your own numbers: Recommendations from The Bank of England are, ‘Work out the numbers from your specific business’s perspective, then do the analysis with your own or independent financial experts’. TORI Global have experience of assessing and managing the true cost of investment of Cloud services
- Don’t rush into contracts & service lock-in: Prepare your technology strategy by assessing your current maturity in key areas: proceed with security, architecture, finance and operational assessments. Consider areas such as the categorisation and treatment of data, security and function of tools, capacity and capability of resources, processes, controls for vendors etc. in the true costs of contracts and services in establishing internal and external costs
- Beware of cloud sprawl: Manage your Cloud service catalogue: understand your use of Cloud services and the types of activities, data and processing requirements and how they are being served; Development plans for legacy software refactoring, use of MaaS (Mainframe) SaaS (Software) PaaS (Paas) alternatives is aligned to the business risks and risks related to reliance on Cloud Providers. ‘Many variants of how you can scale using [suppliers’] infrastructure and capabilities — no one size fits all,’ but allowing cloud usage to grow in a key
- Know the rules: Address your Cloud Service challenges and risks: Define policy for application landing environments, initiate Target Operating Model programs or outcome-based activities such as refreshing developer toolsets within the CICD and improve the related governance. “For instance, do you know the location of the boxes your services will be running on and any legislation that covers those boxes? Where is the company that’ll be doing your processing domiciled? If they are a US company, for example, even if their data centre is in the UK or elsewhere in Europe, it’s likely your data and processing will be subject to the US Patriot Act,”
- Stay Safe: Understand what you are signing up for and that it’s what you intended to provide for your business “When you go to a third-party provider, you’re placing some of your information security profile in their hands. It might not matter so much if they’re, say, running your fleet of cars via a cloud service, but when you’re looking at moving core services you need to understand the security and compliance implications fully.”
How we can help:
- TORI Global have case studies of helping financial service companies in assessing Digital Maturity in their use of Cloud Services with their customer channels, developing their approach to user journeys, providing recommendations and information for development strategies to address maturity risks
- TORI Global have experience of Cloud technology optimisation and transformation, focusing on the assurance of, target environments for security and risk, business stability during increased periods of risk during the transformation journey and assured integrated continuous delivery
- TORI Global understand Cloud operating cost management and risks, through frameworks, vendor and supplier integration within third-part cost management and defining target operating model and avoid financial surprises