The banking sector’s over-reliance on third-party cloud services poses significant operational risk. It’s time for change.
Back in 2021, The Bank of England expressed concern regarding the financial sector’s increasing reliance on a small number of cloud companies, highlighting the threat this posed to financial stability. Following the global IT outage on Friday (19th July), it’s clear this foresight was entirely accurate.
The worldwide disruption, which impacted not only the banking sector but also took down the NHS and global transport networks, is believed to have been caused by a single erroneous software update by cyber company, Crowdstrike.
The incident is a stark reminder of the monumental operational risk faced by financial firms due to their reliance on so few third-party cloud services, such as Google, Amazon Web Services (AWS), and Microsoft Azure. Research by S&P Global suggests Azure is used by approximately 79% of financial firms, and that those firms with more than one cloud provider also employ a second from the same trio. These platforms are used to store vast amounts of customer data, meaning any breach or outage can be catastrophic.
According to Tayo Dada, head of cyber security at private investigation firm Conflict International, “Friday’s outage will be the tip of the iceberg unless firms take swift action.” This is due to hackers realising that attacking the few companies which serve many clients is a highly effective and efficient strategy.
Cybercrime costs the UK economy an estimated £27 billion a year, and experts predict there will be more frequent and severe blackouts due to the increasing concentration of cloud infrastructure.
Where To Start?
Individual firms need to start by analysing their cyber resilience and operational risk, both internally and across their supply chain. Any overreliance on a single cyber firm poses a huge risk to an organisation’s stability. This is no mean feat, considering the average bank has over 20,000 suppliers.
In a sense, financial firms are being forced into this by the forthcoming Digital Operational Resilience Act (DORA), for which the deadline is January 2025. Unfortunately, despite the significant risks posed to their operations, this is not a lot of time to prepare their operations to comply.
Here at The Disruption House, we’ve focused on business resiliency and counterparty risk in tech providers to global financial services firms since 2016, which has led us to build Diego. Diego is a DORA readiness assessment designed to assess a company’s digital resilience capabilities and benchmarks it against other firms in their sector. Empowering regulated firms to rapidly identify any risks in their supply chain and our remediation recommendations allow them to rapidly close gaps, greatly enhancing system-wide resiliency.
Get in touch to schedule a demonstration.
Examples To Follow
What are the solutions?
As a 100% digital bank, Starling Bank is an interesting case study. The bank deploys its systems and services across numerous clouds which back up data in real time, this means the bank isn’t dependent on a single third-party supplier, greatly reducing its risk.
Another important aspect of having multiple cloud service providers is the fact you are not beholden to one supplier. Danske Bank runs a similar strategy to Starling, operating a multi-cloud strategy. As Bo Svejstrup, CTO at Danske Bank noted in an interview with Raconteur, this not only reduces risk, it also allows Danske to migrate between providers or in-house solutions with ease, effectively giving them an exit strategy from any arrangement. Diminishing the risk of being beholden to one provider.
The Global IT Outage should be seen as a warning.
As Dada suggests, it is likely to be the ‘tip of the iceberg’. Financial firms and indeed wider industries must take a more robust and proactive approach to digital resilience. Cloud, cyber and IT services should not be a one-stop-shop, but rather a strategically planned approach involving multiple suppliers who have been diligently assessed from a security, compliance and ethical standpoint.
Contact us to learn more about Diego, The Disruption House’s DORA readiness assessment and begin futureproofing your organisation now.
