Technology Record - Issue 33: Summer 2024

FINANCIAL SERVICES “ The new regulations highlight the increasing importance of cloud providers to the financial sector” 91 “Regulators are increasingly focusing on non-financial threat scenarios such as failures of critical providers and major cybersecurity threats which can cause systemic impacts to the financial system,” says Tom Deprins, global compliance director for the financial services industry at Microsoft. This has resulted in a new wave of regulatory attention, including the Digital Operational Resilience Act (DORA) in Europe, the Financial Stability Board (FSB) toolkit for enhancing third-party risk management and oversight, the Bank of England’s Consultation Paper 26/23: Operational resilience: Critical third parties to the UK financial sector and the US Department of Treasury’s report on The Financial Services Sector’s Adoption of Cloud Services. “The new regulations highlight the increasing importance of cloud providers to the financial sector and propose measures to manage associated risks that can vary by region,” says Deprins. “Some of these new regulations are particularly impactful to Microsoft because they introduce direct oversight over Microsoft as a cloud provider by financial services regulators, which is new,” says Deprins. “Europe and the UK are prime examples.” DORA, for example, also applies to critical third parties that provide IT-related services to the financial services sector such as through cloud platforms, professional services and data analytics. The regulation aims to set uniform requirements for business continuity of all financial entities in the European Union. It mandates that all participants in the financial system, including banking, insurance and capital market providers, have the necessary safeguards in place to mitigate cyberattacks and other risks such as supplier failure, service deterioration and concentration risk. Third-party risk “Traditionally, financial institutions primarily focused on financial risk management, treating third-party risk management as a component of operational risk management,” says Deprins. “Yet today, strengthening operational resilience has become a board-level discussion. Prominent outages of third-party suppliers and widespread cybersecurity incidents can have severe impacts on businesses.” Deprins references the 2020 SolarWinds supply chain attack as a high-profile example of thirdparty risk. More than 18,000 of the technology firm’s customers were affected by the installation of malicious updates to their Orion systems. “The SolarWinds supply chain attack was a clear illustration of how a single provider’s security shortcomings affected a multitude of firms, which further fuelled increasing regulatory concerns over concentration risk,” he says. “Concentration risk refers to the dependency upon a critical third-party provider to a financial institution where the failure of this provider could ultimately lead to failures that extend beyond a financial institution’s risk tolerances.” This risk is not new. But the onset of cloud has brought the topic new attention. “It is often difficult to remove concentration entirely, and fundamentally financial services organisations must try to either reduce or remove concentration itself, or they must assess each underlying risk if removing the concentration is either not possible or not desirable,” says Deprins. “At Microsoft, we support various deployment models to address this with products such as Microsoft Azure Arc and Microsoft Edge for hybrid or multi-cloud environments.” The World Bank, for example, connected approximately 25 per cent of its SQL Server estate to Azure Arc to centralise its systems in 2023 and hopes to expand that to 75 per cent by the end of 2024. With employees across more than 170 countries and 130 locations, the bank’s IT team is now able to manage its complex backend of multiple cloud providers. “We wanted to implement Azure Arc so we could utilise all the features and manage all our