Cloud service outsourcing and concentration risk 

Last week, the UK Financial Conduct Authority (FCA) hosted a webinar alongside the UK Prudential Regulation Authority (PRA) and Bank of England to review firms’ progress against new joint operational resilience policy, supporting and encouraging compliance by 31st March 2022. 

February 2, 2022

Audience questions focused on concentration risk, outsourcing, and regulator expectations where Important Business Services depend on third-party tools and platforms. This is clearly front-of-mind for many firms. 

Clear benefits

What specific tools and platforms were audience participants worried about? It’s likely they’re thinking of outsourced of IT services. This includes Cloud services, a market dominated by just a few massive service providers. The PRA recognise the appeal of these Cloud providers: ‘outsourcing and third parties bring potential benefits and opportunities, including, in the case of Cloud, potentially enhanced resilience compared to firms’ on-premise data centers’.

Beyond this, the benefits of a single vendor for Cloud services are clear, including economies of scale, flexibility, improved resilience, operational efficiencies, and cost-effectiveness. In some cases, a single-vendor solution might enhance these benefits, and simplify management too.

Serious and credible threats

But there are risks to relying on third-party Cloud providers, particularly when opting for a single vendor. The big Cloud providers are big targets, and there is a steady stream of credible threats to the confidentiality, integrity, and availability of their services. We don’t have to look far for an example. Remember the hyperscale Cloud outage that Facebook experienced in 2021? Apparently caused by a misconfiguration during a ‘routine BGP update’, it resulted in a 6 hour outage, a 5% drop in the Facebook share price, and uncalculated damage to small business owners.

Other, even bigger threats loom, such as ransomware attacks where the average downtime suffered in Q2 2021 was 23 days. Downtime at this scale would severely impact Important Business Services and could impact entire industries, since similar businesses tend to rely on the same, single provider.

I think it’s this concentration risk that firms and regulators are concerned about. As the PRA says, ‘a major disruption, outage or failure at one of these service providers could create a single-point-of-failure with potential adverse consequences for financial stability.’

A difficult place

The FCA and PRA expect businesses to plan for this risk. The FCA stipulates, ‘firms should […] monitor concentration risk and consider what action it would take if the outsource provider failed.’ And the PRA ‘expects firms and groups to periodically (re)assess and take reasonable steps to manage […] their overall reliance on third parties; and concentration risks or vendor lock-in at the firm or group, due to multiple arrangements with the same or closely connected service providers.’

This is a tricky situation for regulated firms. They must embrace single vendor outsourced Cloud strategies to optimise their operations and remain competitive. But at the same time, they must manage the risk presented by this strategy with little visibility into the service itself, and with the threat of regulatory fines if they fail.

Catastrophic events

Cloud providers, though often opaque, are sympathetic to this situation. Microsoft reassures users, ‘Overall resiliency is addressed by the distributed architecture of systems, with geo-replication of such services with regional pairing to address potential catastrophic events. Further, customer configuration requires (depending upon criticality of systems), use of availability zones and configuration of regional pairing so if one full region were to be impacted, another would still be active’. It’s a rigorous approach, but a single-vendor solution to a single-vendor problem isn’t enough to rule out catastrophic events entirely.

Embrace the positives

If you share these concerns, StarLeaf can help. We can’t protect your whole outsourced Cloud platform, but we can protect enterprise communications, which are ‘essential to business operations’ for 97% of businesses.

It’s impossible to predict which Important Business Services will be impacted by a Cloud service compromise. But making sure your people are robustly connected with each other and their data, will greatly assist them in meeting Impact Tolerances. StarLeaf Standby can replicate your enterprise communications environment in an instant, allowing for business to continue when services such as Microsoft Teams, Webex, and Zoom, are compromised.

Because it isn’t dependent on hyperscale Cloud providers, StarLeaf Standby helps you to embrace a single vendor Cloud strategy while remaining compliant with financial regulations. Ready to prepare your firm for the unexpected and simultaneously manage multiple risks? Get in touch to discuss StarLeaf Standby now.

demo request_standby_en
Steve Raffe,<br />
VP Strategy & Global Alliances, StarLeaf
Steve Raffe,
VP Strategy & Global Alliances, StarLeaf