Big Tech’s influence is becoming more and overarching across numerous different sectors. From retail to politics, Big Tech is slowly infiltrating our lives. One sector which is trying to ensure it keeps some control is the financial services sector.

Last July, the Bank of International Settlements published a paper arguing that the reliance of financial institutions on a few large cloud services providers could have “systemic implications for the financial system”.

Meanwhile, in June, the UK Treasury released a similar paper highlighting the risks from critical third parties in the finance sector. What this all demonstrates is how concerned regulators and governments are about the cloud concentration risk and are making the case for the risks to be minimised appropriately.

So, what is the sector doing to minimise the risk?

The introduction of Digital Operational Resilience Act

Well, last May, the European Council and the European Parliament reached a provisional agreement on the Digital Operational Resilience Act (DORA), which was adopted in November 2022. According to the European Council website, “DORA creates a regulatory framework whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats.” But it doesn’t matter if a business is based in the EU or not, if they trade within the EU financial services industry, they must abide by DORA.

A recent study from Gartner showed that public cloud spending was forecast to grow nearly 21% to a total of $591.8 billion in 2023, up from $490.3 billion in 2022. It’s important that regulators begin to acknowledge the use of cloud services within the financial sector. Previously there was a belief that few people would store important financial data on the cloud.

However, studies like the one from Gartner show that with more people using the cloud, something was needed to be put into place to help manage the huge amount of data being stored on the cloud, whilst also focus on the third parties that the financial service companies work with.

While the US, Canada and Singapore already have similar regulations in place, this is the first time the EU has implemented something like this, its main aim is to ensure services still run for customers, even if their cloud services go down due to a cyber-attack.

The bigger picture

But while DORA will help to stem some of the issues, there will continue to be some companies that fall foul of the regulation, and for those that do, large fines – in the form of a periodic penalty of 1% of the average daily global turnover in the preceding business year – await. If that’s not enough to have businesses concerned, the government could step in and cancel contracts or force an organisation to put in place a remediation.

Let’s look at this from a higher level. If a bank’s technology stack goes down, its services will be affected, which is bad for its customers. However, if a bank’s operating on Microsoft Azure or AWS and one of those providers suddenly goes down for a couple of hours, a whole economy could be affected because you’ve suddenly got a number of banks that are unable to provide services. That’s a massive impact, not only on a company but also potentially on a country’s economy. Interestingly, countries are beginning to realise – and accept – the need for cloud and the benefit of it, for example improved security, cost savings and collaboration.

But what about financial services industry, what’s the reaction been to DORA?

The reaction has generally been quite positive.  Currently, the EU has only offered guidance but there is an expectation that the ESAs (European Supervisory Authorities) will provide deeper definitions of actual requirements on how to meet the standards set. 

Fortunately, a lot of organisations understand that DORA is there and isn’t going away. They understand the need to provide resiliency to the necessary regulators and now, to take the next step, organisations must provide awareness.

Time’s running out – so what next?

The EU financial services industry must be ready to comply with DORA by 17th January 2025 and with large fines facing those companies who are not fully prepared for the implementation, the race is on to adopt new infrastructure. To make sure they’re ready, businesses must first know what DORA is and its implications. This involves putting together a plan, building awareness, and gaining buy-in from relevant stakeholders, namely the CISO and CIO before implementing the necessary infrastructure.

As we’ve explored, it doesn’t matter if an organisation is based in the EU or not, if they trade within the bloc, they must abide by the legislation. Unfortunately, this means that some institutions are less prepared for DORA than some of their counterparts. With time running out, it’s becoming increasingly important that they look to the right supplier who can not only move data to the cloud, but also support with awareness, recoverability and reporting.