The Cloud Computing Landscape: what is it?
Cloud computing is here to stay. It comes in many forms, including private, public, community and hybrid. Cloud services models include:
Canada has a highly concentrated financial services market, dominated by the top 11: Six Domestic Systematically Important Banks (D-SIBs), one large foreign bank, one large regional co-operative, and three large life insurance entities.
Financial services firms have embraced the cloud in many different ways, realizing benefits, including:
Our perspective is that darker skies are ahead driven by concentration risk, coupled with a lack of transparency to actual cloud providers’ risk profile. Other risks such as privacy, security, and regulatory compliance are well known to the industry and regulators. Many cloud providers have established dedicated sites in Canada now, which avoids financial institutions having to move data cross border, and many of these providers certify for SOC 2 and ISO27001 compliance as well as financial industry and health privacy standards (e.g., PIPEDA, HIPA, etc.).
While no definitive ranking of cloud providers exists in Canada they can be grouped into:
While at first glance, the above list seems to offer a wide range of potential diversification, it's essential to do a deep dive on concentration risk. Cloud service providers and, more broadly, fintechs currently operate in a loose regulatory oversight framework.
Concentration: Concentration risk is the risk arising from having many cloud services provided by a single vendor that could fail to perform adequately and potentially lead to disruption in services.
Having a single vendor may enable better pricing, access to specialists, potentially more influence on vendor strategy and product direction, and less administrative burden – regarding periodic reviews. However in a worst-case scenario, said critical cloud services providers could be unable to perform the contracted services for their clients, leading to significant disruption to the financial institution and potential ripple effects to the market at large if more than one such institution is impacted.
Canadian financial institutions have, to a degree, utilized similar cloud services providers to address technology modernization initiatives, leading to cross entity concentration risk. Some examples:
This risk can be partly reduced by proper due diligence and continued oversight of the cloud services providers, as well as acting on early warning signals. You can reduce the risk further by having a well-defined cloud strategy that utilizes multiple ‘best fit’ cloud services providers. In this era of consolidation and rapid technological change, we encourage a focus on diversification and resiliency testing. By focusing on these areas, you can ensure the financial institution can repatriate or transition out services to move from one cloud service provider to another if required.
What should you do?
To address these risks and brighten the sky, we recommend:
How can Capco help?
Capco understands the business and technology intersection points and has worked exclusively with financial institutions for over 20 years, including work in private and public clouds. We have practical experience in cloud service provider risk management to improve your risk profile. We’d love to know your thoughts.