Cloud resilience after the pandemic

The Financial Times has a thought-provoking look at the ongoing financial services stampede to the cloud:

“Thirty of the world’s biggest banks, deemed systemically important, are subject to regulatory capital surcharges in the name of safety. If 90% of bank data moves to the cloud, how much more risky is it that 3 or 4 largely unregulated companies dominate that space?… It remains to be seen whether hostile regulators have more or less leverage over big tech than over big banks. But given that the dominant global cloud companies are all American, mounting geopolitical tensions between ?? and ?? , and other parts of the world, will not be helpful.”

I’m not sure “largely unregulated” is right in the UK/EU, given the Network and Information Systems Security Directive, with its attention to “digital services providers” explicitly including cloud computing. @CarolineGreer noted: “I would be surprised if one of two of those providers were not also caught by the Operator of Essential Services / DNS Service Provider definition as well, depending on Member State interpretation and thresholds.”

You can see Ireland’s implementation of the Directive (since Google and Microsoft are probably covered there for these purposes. Amazon may be in Luxembourg), although the Member States don’t publicly identify covered services. Companies also post-Brexit have to register separately in the UK

As so many areas of society become increasingly dependent on programmable infrastructures underpinned by cloud providers — greatly accelerated by Covid-19 — we might need greater specific regulatory attention to cloud resilience, beyond financial services.

This second FT piece from April has some broader lessons from post-2008 financial crisis regulation and Covid-19. Do we need cloud equivalents of liquidity, capital ratios, and bail-inable capital? What would those look like? Subsidies to “systemic” cloud providers to maintain capabilities to switch in very large additional amounts (some domestic, to mitigate “globalisation risk”) of compute, storage and bandwidth during “surge” conditions? Cloud provider contracts with major customers to interrupt their non-critical systems in surge conditions, and even to take capacity from “on-premise” hybrid customers?

Caroline added: “The European Banking Authority has been issuing guidelines to banks on cloud outsourcing and the European Commission has been consulting on cyber resilience for financial services. So, it’s topical. And some financial providers will themselves be Operators of Essential Services under the Directive and as such, will be looking for secure solutions.” Much more discussion of this to come!