ESMA warns financial service firms not to over rely on the cloud

Steven Maijoor, ESMA

The European Securities and Markets Authority (ESMA) has published a consultation paper warning financial market participants not to become “overly reliant” on their cloud services providers and to have a clearly tested cloud exit strategy.

Financial sector cloud use jumped by 43% between 2017 and 2019, according to a recent survey by 4sl, a data custody and availability services firm which polled 200 senior IT decision-makers in UK organisations with 1,000 employees or more. Separate research from the IBM Institute for Business Value, found that the global banking sector’s spending on cloud services last year was almost $100 bn, with cloud-enabled workloads of top-tier banks expected to double annually.

The paper set out guidelines for trading firms that aim to help them “identify, address and monitor” the risks attached to “outsourcing” production applications or any other services to the cloud. These include implementing the requisite documentation, oversight and monitoring mechanisms as well as conducting robust due diligence.

They also advise looking at the minimum elements that outsourcing and sub-outsourcing agreements should cover as well as assessing the exit strategies and the access and audit rights. It also looks at the reporting to and the supervision of competent authorities.

“Cloud outsourcing can bring benefits to firms and their customers, for example reduced costs and enhanced operational efficiency and flexibility,” says Steven Maijoor, ESMA. “It also raises important challenges and risks that need to be properly addressed, particularly in relation to data protection and information security,”

Maijoor adds, “Financial markets participants should be careful that they do not become overly reliant on their cloud services providers. They need to closely monitor the performance and the security measures of their cloud service provider and make sure that they are able to exit the cloud outsourcing arrangement as and when necessary.”

Over the past few year, European regulators and policy makers have been concerned over the operational resilience risks associated with the concentration among a small group of large US tech firms.  Market research shows that Amazon, Microsoft and Alphabet’s Google dominate the field of data storage worldwide, with a combined market share of more than 50%.

These issues were highlighted in the Treasury Select Committee’s autumn report into financial services IT failures which focused on third party provider risk, pointing to a particular problem within cloud services. In addition, last October, French and German finance ministers launched plans to establish an EU-wide data infrastructure to challenge the dominance of US tech behemoths such as Amazon and Microsoft in cloud computing.

European lawmakers fear that sensitive corporate data could be tapped into following the adoption of the U.S. CLOUD Act of 2018 and in the absence of any major competitors, with the exception of China’s Alibaba.

©BestExecution 2020