The Cloud Computing Landscape: what is it?

Cloud computing is here to stay. It comes in many forms, including private, public, community and hybrid. Cloud services models include:

• Infrastructure as a Service (IaaS) – such as flexible processing capacity, communication networks, storage either as dedicated hardware or ‘virtualized’ resources
• Business Process as a Service (BPaaS) – provision of standardized and/or automated building blocks, optimized by the service provider
• Platform as a Service (PaaS) – provision of hardware and software tools to support development activities
• Software as a Service (SaaS) - including application management and maintenance.

The cloud services market in Canada is forecast to grow to $5.1 billion (USD) by 2021, with $600 million growth in the next two years.

Canada has a highly concentrated financial services market, dominated by the top 11: Six Domestic Systematically Important Banks (D-SIBs), one large foreign bank, one large regional co-operative, and three large life insurance entities. 

Financial services firms have embraced the cloud in many different ways, realizing benefits, including:

• Reduced costs and complexity
• Accelerated change including ability to efficiently scale
• Improved efficiency, access, security, resiliency.

Our perspective is that darker skies are ahead driven by concentration risk, coupled with a lack of transparency to actual cloud providers’ risk profile. Other risks such as privacy, security, and regulatory compliance are well known to the industry and regulators. Many cloud providers have established dedicated sites in Canada now, which avoids financial institutions having to move data cross border, and many of these providers certify for SOC 2 and ISO27001 compliance as well as financial industry and health privacy standards (e.g., PIPEDA, HIPA, etc.). 

While no definitive ranking of cloud providers exists in Canada they can be grouped into:

• Leaders/big tech – Amazon, Google, IBM, Microsoft
• Telecom – Bell, Telus
• Specialized – Long View, CentriLogic
• Software as a Service solution providers – Oracle, Salesforce, Temenos, Workday.

While at first glance, the above list seems to offer a wide range of potential diversification, it's essential to do a deep dive on concentration risk. Cloud service providers and, more broadly, fintechs currently operate in a loose regulatory oversight framework.

Concentration: Concentration risk is the risk arising from having many cloud services provided by a single vendor that could fail to perform adequately and potentially lead to disruption in services.

Having a single vendor may enable better pricing, access to specialists, potentially more influence on vendor strategy and product direction, and less administrative burden – regarding periodic reviews. However in a worst-case scenario, said critical cloud services providers could be unable to perform the contracted services for their clients, leading to significant disruption to the financial institution and potential ripple effects to the market at large if more than one such institution is impacted.

Canadian financial institutions have, to a degree, utilized similar cloud services providers to address technology modernization initiatives, leading to cross entity concentration risk. Some examples:

• Leaders/big tech: All major financial institutions utilize Microsoft Office 365
• SaaS: Workday’s Human Capital Management SaaS has been implemented by six of the top 11 financial institutions
• Most financial institutions are adopting Salesforce not only as a CRM platform but as a toolkit to build different solutions for their workforce
• IaaS: Many Canadian financial institutions use one of the Big Tech providers for IaaS. 

This risk can be partly reduced by proper due diligence and continued oversight of the cloud services providers, as well as acting on early warning signals. You can reduce the risk further by having a well-defined cloud strategy that utilizes multiple ‘best fit’ cloud services providers. In this era of consolidation and rapid technological change, we encourage a focus on diversification and resiliency testing. By focusing on these areas, you can ensure the financial institution can repatriate or transition out services to move from one cloud service provider to another if required.

What should you do?

To address these risks and brighten the sky, we recommend:

• Multi-vendor: Establish a multi-vendor cloud strategy to limit concentration risk
• Due diligence: Ask cloud service providers about in-market plans, transition out services and speak to selected relevant customers
• Contract review: For new/existing contracts with cloud service providers ensure transition out services are specified
• Resiliency testing: Establishing robust playbooks, risk scenarios and testability help speed up recovery. This includes testing transition services between cloud providers. Consider alternatives to cloud-based services as part of your BCP and DR solutions do not solely rely on the ability to switch to a different cloud region within the same cloud provider
• Establish portability: Enable moving workloads across platforms through effective design and execution through container orchestration
• KRI tracking: Define and monitor common KRIs across all cloud service providers.

How can Capco help?

Capco understands the business and technology intersection points and has worked exclusively with financial institutions for over 20 years, including work in private and public clouds. We have practical experience in cloud service provider risk management to improve your risk profile. We’d love to know your thoughts.