“I think bringing in some of these guidelines will make people understand and think about: ‘I need to make sure that one provider is secure, and if the relationship goes downhill or prices go up, how can I then move to another provider in a controlled way?’,” says Brian Collings, chairman and chief executive of post trade technology provider Torstone Technology.
Esma’s decision to establish new standards follows a boom in cloud outsourcing over the past few years. The Association for Financial Markets in Europe (AFME) reported last year that spend on public cloud across all sectors would reach $331bn in 2022, compared to $210bn in 2019. Of that spend, financial services accounts for 10.6 percent.
“One aspect that we hope not to see is the cloud marketplace ending up as a duopoly of two big providers, but I think there are enough large providers out there with Microsoft Azure and Google and Amazon where there is reasonable competition. The existing competition out there will force those providers to take these guidelines seriously,” says Collings.
In the consultation paper, Esma stated a large number of firms relying on a handful of systematically large cloud providers could be dangerous.
“We are not saying that smaller or larger cloud service providers are better, but we want firms and supervisors to be mindful of the risk of concentration,” said Solveig Kleiveland, senior communications officer at Esma, in an email.
But some market participants are sceptical of attempts by regulators to hinder concentration risk. According to Daniel Schwartz, head of fintech and capital markets tech strategy advisory firm FT Advisory, the desire to limit reliance on third party providers may be misguided.
“The comments on governance, information security and so on I think are all generally well taken. The challenge I think is that regulators, in an earnest desire to ensure that there’s high quality controls and decision making, may not be focused on what’s reasonable and practical and may not be fully evaluating the risk of moving to cloud versus the alternative of remaining in one’s own data centres,” says Schwartz.
Since cloud providers such as AWS and GCP have more computer storage than the largest banks and invest heavily in cybersecurity, the desire to diversify cloud providers may actually garner greater risk.
“The real question is what’s the risk? Not whether inherently relying upon a third party for a substantial amount of your work activity is concerning. It is concerning, but how big a risk is it? Not what’s the impact, but what’s the risk?”
According to Collings, there are two levels of concentration risk to consider.
“One is the actual company themselves, tying yourself into a single company. The cloud itself is very distributed around the globe and the large providers have back-up sites, so the concentration on the actual infrastructure is not too intense. Looking at the concentration on the company itself, there are enough large companies for firms to be able to distribute services across more than one provider,” he says.
The practice of multi-cloud storage has expanded in recent years as cloud outsourcing has become standard. Collings believes Esma’s guidelines will force the market to be more ubiquitous between large providers, making it easier to use more than one, or switch from one provider to another.
Schwartz questions the practice. “The concept that you would diversify your workload in order to support exit or in order to limit concentration risk, really has to be dug into before you accept it,” he says, adding that the movement of data from one cloud provider to another is a substantial and potentially dangerous task.
“If the recommendations are reasonable in principle then the question we all have to ask is: In practice, to what extent is a firm carrying risk and what are the mitigations for that risk, and what’s the residual risk that’s left? And I think that’s the point which somehow gets lost.”