The Bank of England (BoE) is implementing a new operational resilience regime that is likely to impact cloud providers.
BoE is currently concluding the consultation period for the regime which will "bring some other parties within the scope of our oversight powers for the first time" including third parties such as cloud providers, reports The Stack.
The proposals are open for consultation by the Bank of England, Prudential Regulation Authority, and Financial Conduct Authority until March 15.
The BoE aims for these third parties to provide greater transparency on its incident response and reporting on the regular testing of their technology, cyber risk management, and operational resilience measures.
According to BoE's director of prudential policy Gareth Truran, the proposals are based on "lessons we have learned from previous disruption at third-party service providers impacting multiple firms."
The final requirements and expectations should be issued in H2, 2024.
Truran added: "Most third parties have processes to update and support their customers during an incident. But these processes rarely take into account the potential collective or systemic impact that such disruption might have on the financial sector due to interconnectedness."
The so-called critical third parties (CTP) are expected to include hyperscalers, and they will need to "proactively engage with existing frameworks" that have been put in place to coordinate incident response. Examples provided are the Cross-Market Operational Resilience Group's Sector Response Framework and the Financial Sector Cyber Collaboration Centre.
For the time being, no CTPs have officially been named though regulators intend to assess them based on the materiality and concentration of services they provide, as well as potential systemic impact.
This is not the first time the BoE has raised concerns about cloud computing. In 2021, the UK central bank expressed concerns that the financial sector would become overly reliant on just a small number of cloud companies, arguing that this could prove a threat to financial stability. In June 2022, it was announced that the UK's financial watchdog would be visiting and regulating cloud data centers.
Several UK-based banks use cloud services having migrated away from on-premise data centers. HSBC has agreements with Google, Microsoft and in 2020 signed a long-term deal with AWS, Lloyds has a dedicated "Cloud Centre of Excellence" provided by Microsoft and Google, and NatWest is using multiple Google Cloud products.
In 2022, Microsoft purchased a stake in the London Stock Exchange Group, which saw the financial company migrate its operations to the Azure cloud platform.
