The impact of the COVID-19 pandemic has changed the way financial institutions, customers, and employees will conduct business and interact with each other. The need to adapt to enable remote working, to employing digitally connected services to customers, and to even build new business models requires speed, agility, and applying adaptive measures with this constant change. What has not changed is the need for operational resiliency and business continuity. Indeed, financial services regulators expect institutions to ensure business operations remain resilient under this environment so that liquidity and related banking and insurance services remain strong for critical operations. With this in mind, financial institutions are turning more to cloud services to meet these requirements and maintain operational resiliency of their core operations, including for critical and important functions of the institution.
It is no surprise that despite the recessional impact of COVID-19 in many sectors, financial services has not only remained resilient and functioning, but cloud is becoming an increasingly important part of the equation to provide the foundational components of enabling the agility and resiliency required to keep bank and insurance operations thriving. This has resulted in an uptick in cloud adoption, particularly for services like Microsoft Teams that have enabled institutions to shift quickly to remote workforces and remote customer service. As cloud adoption increases and becomes more prevalent for key operations, this has led to ongoing discussions and questions about concentration risk. Namely, does use of cloud services, particularly with a single vendor, raise systemic concentration risk issues, and, if so, what does this mean for institutions when choosing a cloud vendor for material and important workloads?
Financial services regulators across jurisdictions have identified concentration risk as a factor to consider in assessing risk in outsourcing. That risk has two components (i) micro-risk where reliance on a single provider for core operations may present an undue risk of operations if there is a single point of failure and (ii) macro-risk where reliance on financial firms within the ecosystem are so reliant on a vendor that a single point of failure risks causing a broad systemic risk to the operations of the financial services sector. Notably, this risk is not unique to cloud services and, as the Bank of England commented in its Consultation Paper on Outsourcing and Third Party Risk Management, “a small number of third parties have traditionally dominated the provision of certain functions, products, or services to firms, such as cash machines or IT mainframes.” In other words, the issue of concentration risk is not net new but has been a feature within the financial services industry for decades.
While cloud remains relatively nascent compared to entrenched providers of legacy systems, like the mainframe, its increasing adoption means that financial institutions must account for, and mitigate against, micro-risk issues of concentration in use of cloud providers. Indeed, the Bank of England stated that it “will expect firms to assess the resilience requirements of the outsourced service and data and determine which of the available cloud resiliency options is most appropriate. These may include multiple availability zones, regions, or service providers.”1
While acknowledging that concentration risk is an area to monitor, the UK PRA equally identifies, “if configured correctly, cloud services can significantly improve the operational resilience of individual financial firms.”2 Financial institutions should not lose sight of this when assessing such risks and strategies in adopting cloud services and other forms of outsourcing.
Despite the fragmented nature of legacy systems within financial institutions, there are measures to mitigate against such risks of single point of failure, and Microsoft has built-in capabilities to assist customers to counteract against such risks, so their operations not only remain resilient but function in a safe and sound manner. Further, at an enterprise level, Microsoft’s own operations are subject to rigorous risk management oversight, placing accountability across services that have, ultimately, oversight by the Microsoft Board of Directors. Together, this vast array of resources and measures help mitigate both micro-risk concerns with a single institution, and allay against broader issues at a macro-level, particularly given the distributed nature of outsourcing within the industry and strong competition among incumbent providers and more recent players, including hyperscale cloud vendors.
In choosing any vendor, enterprise stability and overall enterprise risk management practices are important factors to consider and assess from an overall risk management perspective. For over 20 years, Microsoft has been uniquely positioned as consistently in the top 10 market cap companies in the world, irrespective of economic downturns or other dynamic changes in the industry. Further, Microsoft has a AAA Standard & Poor’s rating, one of only two companies to have such status. While market dynamics can change, Microsoft has adjusted to shifts in the market to meet customer demand and address competitive dynamics, resulting in unsurpassed market performance and stability within the marketplace.
Hyperscale cloud measures
As a starting point, the distributed architecture of hyperscale cloud provides significant resiliency. By way of example, Microsoft provides for 99.9 percent uptime in its SLAs as standard, but with configuration to use availability zones, that increases to 99.99 percent and, for modern services like Cosmos DB (Platform as a Service), it pushes to 99.999 percent. Further, Microsoft’s investments in building a “diversity of service” within our infrastructure that have built-in redundancies to mitigate against failures, much like the engineering design systems in airplanes. For example, at the platform layer, we have two DNS infrastructures configured active/active, one Windows and one Linux; we have multiple petrol providers for our generators; and two subterranean sea cables connecting the US to Europe. Coupled with a data center footprint that expands to all regions of the globe in over 60 regions, customers can take full advantage of these different regions to maximize workloads in multiple regions to mitigate against risks of a single point of failure.
Through automation, scale, and distributed redundancy, hyperscale cloud further mitigates risks of various attacks, whether it is zero-day attacks, side-channel attacks, or ransomware attacks, cloud offers solutions to mitigate risks that may be more pronounced in legacy on-prem environments. For example, during the Spectre and Meltdown attacks, Microsoft could patch its environment through automation and scale much more quickly than customers could with their legacy environments. Thus, our cloud services were not impacted as a result. For side-channel attacks, hackers must execute code on the same physical machines as a banking system runs on, but with cloud services. This means they must know the physical location of the servers where customer data is stored and must stay within that environment for some period of time. As cloud services are consistently distributed and not collocated in any one environment for a significant period of time, the risk of such attacks being successful is quite low. Finally, in addressing ransomware risks, Azure cloud services provide for air-gapped back-up of data, which provides for scenarios that maintain continuity so data can be preserved in a separate environment, which is how customers with national security requirements manage such risk.
Microsoft has invested heavily to enable customers to meet their regulatory compliance obligations in financial services. Not only do we provide for built-in compliance features to address key requirements, we meet the broadest array of certifications and standards in the industry—more than 90, spanning over 50 regions and countries. Our knowledge base in supporting customers includes broad engagement with financial services regulators, supporting customers in their risk assessments, and providing for audits of our cloud services when required. In addition, we have provided for support and documentation to assist customers in business continuity and exit planning—a key requirement to address and manage concentration risk in the use of our cloud services. Together, in partnership with our customers, and ongoing in engagement with financial services regulators, we believe concentration risk is like any other risk that can be managed with proper governance, oversight, and partnership with Microsoft.
Resources from Microsoft
To access additional resources and learn more about how Microsoft supports the financial services industry, visit our website.
1 The PRA Outsourcing Consultation, paragraph 2.42.
2 The PRA Outsourcing Consultation, paragraph 2.5.