The COVID-19 outbreak has created a unique operational and business environment, including a large-scale shift to remote working and digital channels in a very short space of time. This, in turn, has shone a light on the flexibility and scalability of the Cloud.
However, the current situation is also a real-life stress test for the resilience of outsourcing arrangements and further highlights some of the typical risks associated with Cloud outsourcing. Below we explore these challenges and look at what firms can do to address them effectively without compromising on operational resilience and regulatory compliance.
On-going Cloud migration plans and regulatory engagement
Some firms are de-prioritising or delaying non-essential Cloud migration plans, due to stretched capacity and reduced staff levels and the need to focus on immediate challenges, such as market liquidity management and business continuity.
If delays, particularly in the case of non-essential Cloud programmes, are unavoidable, firms should take the opportunity to use the time and any spare resource capacity to fine-tune their Cloud migration plans. This includes strengthening or developing strategic Cloud risk management tools, ahead of submitting future material notifications – for example improved controls around security or test service resilience, particularly for important business services.
Additionally, some firms have also raised concerns around the potential limited availability of regulators to engage and review on-going critical Cloud migration programmes, and give feedback on submitted material notifications.
As far as we are aware, regulators have not paused their cloud-related reviews, but they are likely to be dealing with a very high number of notifications while adopting alternative working arrangements themselves. As such, firms must open up the regulatory engagement channels - especially the internal regulatory liaison teams - as quickly as possible, and flag clearly, any time sensitive requests or notifications, to ensure that they are reviewed in that light.
For firms reviewing their cloud migration plans, the regulators’ ‘green light’ to proceed should remain a key milestone to progressing further.
Concentration risk and operational resilience
Despite the rapid scalability of Cloud technology, the COVID-19 outbreak is challenging the capacity of Cloud Service Providers (CSPs) to cope with a sharp increase in demand. From conversations with our clients, we understand that certain regions have faced resilience challenges for specific cloud-hosted solutions over the past few weeks, resulting in temporary suspension of access to applications and data.
Both EU and UK regulators have made clear that operational resilience requirements are an important area of focus during this pandemic. Firms should therefore review and update their business continuity plans to reflect service interruptions or instant access to further cloud capacity.
A rapid shift or expansion to cloud based services can have a significant impact on the risk and control environment. Consider the example of a shift in call centre capabilities to a cloud-based, remote home working channel instead of a centralised system hosted in-house or on hybrid infrastructure. This should be considered from at least two aspects:
- Firstly, the end-to-end consumer and service impact of “turning off” the existing infrastructure solution in favour of the Cloud ; and
- Secondly, balancing the operational efficiency gains against operational risk and overall concentration risk to third parties.
This may require firms to assess the feasibility of moving their data and applications between providers, and the need to repatriate critical data in-house and/or build-up internal capabilities. For Software-as-a-Service (SaaS), where the structure of stored data may be difficult to migrate to another solution without significant effort, firms should seek to address their concerns around continuity with their CSP. Firms will also need to map out how and where CSP service interruptions can affect them through third and fourth-party providers, and adjust their risk and controls accordingly.
From a regulatory perspective, FS firms remain responsible for all outsourced activities, and must designate specific individuals who are accountable for overseeing and managing Cloud outsourcing arrangements and risks, including those arising from third- and fourth-party providers.
Maintaining a comprehensive view over the risk and control frameworks of the CSP (and other third-party suppliers) is always challenging, but even more so when resources are constrained and/or there is working remotely. National lock-down and social distancing measures are likely to introduce challenges in both the operation of standard control procedures, and in the validation of third-party controls on-site, including in data centres.
These governance challenges will require firms to re-consider their tolerance to operational risks, and, given the circumstances, review the reasonable steps and controls they should introduce to ensure risks continue to be managed effectively. For example, steps to reduce the prospect of employees being locked out of their devices while working remotely may ease the burden on stretched IT helpdesk staff, but must be balanced against increased security risks.
Firms will need to adjust their governance, risk and control frameworks rapidly to account for similar changes in operating procedures. Contingency plans, setting out delegates for designated responsible individuals, should also be reviewed to ensure they can be implemented.
Firms should also consider how their Cloud service risk profiles will be affected if their reliance on shared responsibility around controls operated by third parties (CSPs and other third-party providers relying on Cloud platforms themselves) are constrained. Enhanced controls to increase the monitoring over CSP’s systems and controls may be deployed to serve as an indicator of third-party control performance.
Firms will also need to map out any security risks to Cloud outsourcing arrangements that may be exacerbated by the current pandemic, including those that are the result of temporary adjustments. They will need to assess whether these adjustments remain within their risk appetite, and tailor their controls accordingly.
Third party assurances
The current COVID-19 restrictions – such as remote working, social distancing, or furloughing of staff - could result in the unavailability of independent assurance reports as well as a restriction on access and audit rights to validate controls. Some CSPs are looking at alternative provisions, such as uploading live service level dashboards on dedicated portals. While this will go some way in providing third party assurances, we expect that further discussions will be needed to find solutions that work for all parties in the ecosystems. Given their regulatory responsibilities, FS firms may need to be more proactive in speaking with CSPs to understand the ‘art of the possible’ to ensure that they operate within their risk appetite tolerance levels.
It is too early to assess how the current pandemic will affect FS firms’ use of the Cloud in the future, but we expect the use of CSPs to be a critical component of firms’ recovery strategies post COVID-19. The current pandemic is expediting the adoption of digital channels and digital ways of working, which are often founded upon Cloud infrastructure. This rapid adoption curve will give firms an opportunity to update their digital risk framework, test resilience and gain further buy-in from stakeholders, and regulators, to migrate a larger scope of activities to the Cloud and realise the benefits of rapid scalability.
At the same time, these opportunities should be deployed with a robust consideration of risks, specifically around service interruptions due to pressured CSP capabilities. The COVID-19 experience may well push FS firms towards more hybrid Cloud models, which would enable them to maintain greater control over critical data and functions in-house, or to deploy solutions with increased resilience features.
From a regulatory perspective, in the UK, we expect a practical yet cautious approach to supporting firms through the rapid increase in Cloud use during this period. We also expect regulators to apply the draft policy guidelines, such as impact assessment of material business activities, to guide their review and challenge outsourcing arrangements. What is clear is that the lessons learnt in the next few months will undoubtedly shape future policy around cloud outsourcing.