PA Consulting - How financial firms can turn cloud rules to their advantage


This article was first published in FT Global Risk Regulator...

Supply chain risks

Financial institutions benefit from cloud’s scalability, cybersecurity controls and access to AI and machine learning. For the past decade, cloud has been the enabling factor behind financial product innovation. Cloud regulation or consultations on regulations are anticipated in the UK this year, which will encourage vital focus on digital supply chain risks: cloud cybersecurity and operational and concentration risks.

Examples where financial institutions must increase the level of care when migrating include not ‘lifting and shifting’ legacy, unsupported applications with known security risks. Cloud migration does not solve underlying platform risks. If you took an engine from a 20-year-old car and put in a new car body, you wouldn’t claim you had a brand new car. So why is this commonly claimed for applications or services migrated to cloud?

We believe responding to the new regulations provides an opportunity to work with cloud partners and leverage the collective responsibility between financial institutions and providers to protect institutions’ and customers’ security, reimagine financial services products and operations, and more effectively manage digital supply chain risks.

Managing digital risks

Financial institutions must deal with technology knowledge aversion and embrace cloud service technology via tech-savvy leadership at the top, improved cloud provider engagement, and practical, real-life digital supply chain risk testing and remediation.

For example, on cloud cybersecurity, many organisations draw comfort from an annual ‘Cloud Penetration Test’ conducted at a known time and with a known set of tests. This provides false comfort with limited or no value. Malicious hackers do not contact banks or insurers, name the date and time of their attack, and avoid using advanced cyber-hacking tools because it might cause too much trouble or disrupt day-to-day operations.

When validating controls, financial institutions need to use better examples of real-life via disruption-free attack simulations and step up cloud technology contract procurement and management, cloud service single point-of-failure and failure root cause analysis, and critical service downtime and response planning.

The three steps financial institutions must take to prepare for upcoming cloud regulations and better manage digital supply chain risks are:

• increase their understanding of material third-party technology and contractual dependencies;

• invest in ongoing, adaptable holistic cloud security testing, reducing risk of malicious attack; and

• apply end-to-end cloud lifecycle rigour, creating stable platforms ready for the metaverse.

To read the original article CLICK HERE.