The European Securities and Markets Authority (ESMA) has released a working paper on financial stability risks from cloud outsourcing, accessible here. Overall, it notes that cloud can increase resilience for financial services firms, but the paper is a timely reminder that a single outage could generate simultaneous firm-level outages due to the concentration risk of cloud vendors. In the working paper ESMA sets out suggested mitigations to deal with this risk.
ESMA notes that, although firms are incentivised to outsource some of their IT infrastructure to cloud service providers (CSPs), there are risks associated with such outsourcing because of how saturated the market is. Due to this risk, ESMA has suggested that the likelihood of simultaneous outages may increase, leading to higher systemic risk for the financial system. Another risk embedded in new technologies is ‘vendor lock-in’, where a financial institution relies strongly on the services of one CSP, for instance due to use of software technology only supported by one CSP. ESMA suggest this could lead to severe difficulties when migrating to another provider. Depending on the level of dependency and on the CSP’s commitments, it may even lead to a catastrophic business failure should the cloud provider go bankrupt or decide to stop providing cloud services, etc.
Referring to a small sample group, ESMA found that CSPs have less frequent outages than clearing members (proxied by central counterparty clearing house (CCP) outage data) and that outages tend to be of longer duration. In its 2020 stress test, ESMA estimated that the failure of the two largest counterparties to a CCP could lead to losses of around EUR 1bn each for the two largest EU CCPs (ESMA, 2020).
ESMA suggests that financial institutions should select an adequate CSP placing an emphasis on the due diligence process to mitigate the risks of simultaneous outages, and that attention should be given to these risks when drafting service level agreements and operational resilience principles. Further, a particular spotlight is placed on back-up obligations (which can minimise the potential cost savings of cloud implementation). ESMA notes that an equilibrium currently exists in which firms outsource to the cloud but do not back up, suggesting that policy intervention may be warranted.
To further significantly reduce systemic risk, ESMA suggests that multi-cloud solutions (where firms use one CSP and another one as backup – or alternatively, the provision of cloud services via independent groups of resources by the same provider) could be used. This will only be effective if the different CSPs have low common vulnerabilities (i.e. can reasonably be treated as independent) and if the services are rapidly portable between them.
Given the ubiquity of CSPs and continuing migration to use of their services – a trend accelerated by the COVID-19 pandemic – ESMA notes it is crucial for policymakers and market participants to assess benefits and risks of outsourcing to CSPs (citing the Digital Operational Resilience Act (DORA) as an example). In the meantime, ESMA is seeking more detailed data on outages suffered by financial institutions and CSPs to verify this and calibrate its model.
Watch this space and be sure to discuss the suggested mitigations with your Cloud Strategy Committees!