Do the events of 2020 prove that cloud solutions represent the holy grail of cost efficiency and information security? Or are there storm clouds on the horizon?

The traditional workplace is spinning on its axis and home-working from the virtual office has moved from a trend to an established fact of life. The early 2010s pivot to the cloud intensified in 2020, in part in response to COVID-19, due to the extra capacity needed for current cloud-based applications to meet increased demand as online usage grew. Difficulties managing data centres during the pandemic have also led some organisations to accelerate migration to the cloud in response to reduced headcount, problems accessing data centre facilities and delays in hardware supply chains.

Research from Flexera showed that expenditure on cloud technology grew 50% in 2020, with investment in Software-as-a-Service, Platform-as-a-Service and Infrastructure-as-a-Service (as well as networking technologies) the leading expenditures. However, research also shows that organisations are over budget for their cloud spend by an average of 23%, while 30% of cloud spend is being wasted.

Given the size of investments, are cloud technologies demonstrating bang for buck? Along with increased willingness to embrace cloud-based working comes attendant risks for organisations, especially those in highly regulated industries like financial services.

"Cloud solutions offer flexible server capacity, scalability, significant cost efficiencies and the promise of the protection of a large tech company’s sophisticated cyber security measures. But what are these promises actually worth to those choosing to invest? And how can the associated risks be mitigated?"

Notwithstanding this, the UK financial services sector, and the FCA, has long been supportive of cloud solutions, recognising that they offer flexible server capacity, scalability, significant cost efficiencies and the promise of the protection of a large tech company’s sophisticated cyber security measures. But what are these promises actually worth to those choosing to invest? And how can the associated risks be mitigated?

Data (security and portability)

Managing migration to new technologies is challenging at the best of times, and made harder when workforces are operating remotely. We have seen substantial fines issued in the US for data breaches occurring on the migration of significant IT operations to the public cloud. Regulators have been critical of both risk assessment processes and the role of internal auditors in identifying control weaknesses in the cloud-operating environment. We have also seen how organisations can be exposed to vulnerabilities at the cloud provider, with one provider’s employee having alleged recently to have contributed to one of the significant US breaches (which involved a credit card issuer). A related issue is how to extract data from the cloud at the end of a relationship.

Regulation of the cloud – what is on the horizon in 2021?

As the transition period in the UK comes to an end and with UK and EU regulatory change in prospect, firms need to manage their risk exposure. Firms need to be able to demonstrate that risk controls are in line with the current EBA guidelines on outsourcing arrangements, FCA FG16/5 guidance for firms outsourcing to the cloud, and the FCA SYSC 8 requirements. Insurers and reinsurers should also note the specific obligations under the Solvency II Directive (2009/138/EC), which are expanded upon in the new EIOPA guidelines on outsourcing to cloud service providers, which came into force across the EU on 1 January 2021, although not in the UK. We await updated ESMA guidelines this year, as well as the outcome of the PRA’s consultation on its draft Supervisory Statement (30/19) on ‘Outsourcing and third-party risk management’ (which has been delayed due to COVID-19).

CLOUD CHECKLIST FOR FIRMS

  • Can your organisation demonstrate appropriate risk controls are in place, in line with both UK and EU regulatory guidance? Is your organisation continuing to monitor the outcomes of EU and UK regulators’ consultations and investigations to gauge direction of travel?
  • Does the transfer of data to the cloud vendor constitute a transfer of personal data outside of the EEA?
  • With global economic distress intensifying, do your contracts have appropriate exit assistance plans, and have these been stress-tested and refreshed to give you comfort that any transition to a new supplier will be handled with minimal disruption to your business?
  • Are your in-house team able to hold your provider accountable and identify systems weaknesses and areas of risk?

Insolvency considerations

Customers now have increased rights in the UK (due to the Corporate Insolvency and Governance Act 2020) to insist on continued service provision from cloud providers, once a customer is in a relevant insolvency procedure. However, all other rights to terminate (for example, on notice) are typically available to the provider in a standard form public cloud contract, which could impact business continuity upon customer insolvency. All regulated businesses should be mindful of the impact on business continuity of any provider termination right which could be exercised when a customer is in financial difficulties. You should not assume that cloud providers are immune in the current financial climate, particularly some of the smaller players. Regulators will require you to demonstrate robust contingency planning and internal efforts should be intensified to identify critical dependencies on companies facing financial difficulties. For SaaS arrangements in particular, the consequences of supplier insolvency can be significant. For example, the customised nature of software-specific data fields and data storage used by the applications can make it harder to find an alternative provider who can provide the necessary software functionality and/or interfaces, especially on short notice in the event of supplier distress. In addition, there may be difficulties in extracting and migrating data to the new provider. Private cloud can offer more bespoke mechanisms to manage business continuity, but most organisations operate a hybrid public/private cloud model, which offers some cost advantages, but comes with the attendant risk of increased data security concerns in a multi-tenanted cloud environment.

CONCLUSION

With both global economies and individual organisations facing significant headwinds due to COVID-19 challenges, technology teams will need to justify continued spending on cloud solutions (with IT budgets likely to be facing cuts). Key to this will be demonstrating appropriate risk management in contracts in areas such as exit management, migration and new supplier on-boarding.