Chapter 1
Benefits and risks of the cloud
Cloud adoption is associated with two key benefits.
Firstly, at face value cloud adoption can reduce financial institutions’ burden of maintaining security and operational resilience. Cloud providers have the bandwidth, and scale, to invest in digital security, building solutions that cater to their clients’ need to mitigate cyber risk through the adoption of best practices, encryption and activity logging. From an operational resilience perspective, cloud providers present the option of geographically distributing data centers, allowing their clients to avoid disruption occurring in a single region. Furthermore, strong computing resources facilitate deployment of data analytics tools, allowing for streamlined reporting and analysis of compliance and risk management-related metrics.
The second key benefit is low cost. Cloud adoption significantly reduces the cost of implementing on-premise technology, obviating the need for proprietary data centers, as well as the need for significant investment in testing new products and services. This is a significant shift in burden, which stands to benefit smaller to medium-sized financial institutions.
Even prior to the wave of cloud adoption, financial institutions were exposed to the balance of third-party and novel risks which are inherent to the introduction of cloud technologies. Third-party risk management has primarily challenged small to medium-sized financial institutions, presenting them with a Catch-22. On one hand, they need to outsource a portion of their ICT infrastructure to safeguard cost, whilst keeping abreast of economies of scale. On the other, engagement with third-party service providers obliges them to oversee and supervise these services, ensuring that they are not being exposed to undue risk. This requires them to invest in adequate frameworks for oversight and supervision that challenge, if not outweigh, their relative size.
Cloud poses a novel risk based largely on its multi-tenancy concept, which depends on various clients being able to share a pool of computing resources. Obviously, this raises uncomfortable issues over the visibility and accessibility of other financial institutions’ data. We only need to look back to January 2022, when Okta, an authentication company used as a service provider for various organizations, was hacked by a group called Lapsus$, leading to client data being leaked, viewed and acted upon.
Chapter 2
DORA and cloud: key principles and proportionality
Harmonizing the regulatory support to digital operational resilience for EU financial entities
DORA aims to harmonize the regulatory support to digital operational resilience for EU financial entities, focusing on management of ICT-related incidents, ICT risk management and ICT third-party risk. Specific to cloud service providers, DORA sets out provisions for sound management of third-party risk and a framework for oversight of ICT third-party service providers designated as critical. The key principle is that financial institutions that outsource technology services are ultimately responsible for ICT risk management, including adherence to all obligations set out in DORA. This key principle echoes requirements already present in the larger body of EU regulation.
The principle of proportionality, which governs other outsourcing frameworks is key to understanding DORA’s impact on smaller to medium-sized banks. Historically, regulation has made clear that technology can be outsourced, whereas responsibility cannot, and each financial institution must control and monitor the risks that arise from a relationship with a third-party service provider. DORA reduces the burden on smaller to medium-sized banks by introducing the initiative that critical third-party service providers are audited by public authorities through a central “Oversight Forum”. This should improve the resilience of third-party cloud providers and provide more legal certainty through centrally supervised audits.
Incident reporting will also be further streamlined through DORA, alleviating financial institutions’ administrative burden through efficient, central supervision.
Chapter 3
DORA’s oversight framework
A balance of accountability and responsibility
DORA establishes a robust supervisory framework that subjects each critical third-party service provider to direct oversight by the European Supervisory Authority (ESA). The ESA is required to appoint a Lead Overseer for each critical third-party service provider, to assess the third party’s mechanisms for managing the ICT risks that it could pose to financial institutions. This assessment will be conducted annually and supported by a detailed oversight plan, to include areas such as risk management processes, governance arrangements, physical security, infrastructure, and controls.
The Lead Overseer will have powers to request information and documents, including sensitive data, which could support investigations and inspections. Additionally, they have the right to examine and take copies of records, data, procedures, and other relevant materials and inspect the third-party’s physical premises. Following an assessment or investigation, the Lead Overseer is required to communicate recommendations to the third party. This is a significant departure from the state where local financial regulators did not have the authority to directly inspect third-party service providers.
Once the Lead Overseer completes an inspection, the third party is required to provide written notification of whether it intends to follow the Lead Overseer’s recommendations. The Lead Overseer then shares the outcome with national financial regulators, who are tasked with monitoring that financial institutions have considered the risks identified in the recommendations. In cases where significant deficiencies are identified, the national financial regulator may suspend the financial entity from making use of the third party’s services, until such time when the deficiencies are remedied.
From the burden of responsibility being solely on the financial institution, DORA balances it by apportioning accountability and responsibility to third-party service providers.
Summary
During the past few years, we have seen a growing number of financial institutions adopting the cloud to alleviate certain burdens and “rise above the storm”. However, this has presented new risks while mitigating those of the past. Small and medium-sized financial institutions, which are also great adopters of cloud technology, now must balance their acceptance of risk, need to outsource technological processes and capacity for responsibility, all under the watchful eye of regulators.
Finally, the prospect of DORA alleviates the burden on financial institutions, distributing accountability and responsibility across financial institutions and third-party service providers. This stands to greatly benefit smaller to medium-sized financial institutions on their digital transformation journeys, by freeing space for strategic development and reducing compliance burdens.
