Earlier this year, the Bank of England’s Prudential Regulation Authority (PRA) revealed its intention to impose more stringent regulations on cloud computing giants. The move came after the PRA had expressed concerns over British banks’ dependency on a handful of cloud service providers, with fears that an outage or cyberattack could severely disrupt a banking system. This fear became a reality in April, when American Express faced outages across its network, causing payment issues for its customers across the UK, Europe, and the US.

Urgency surrounding the matter has also been ramped up in recent months due to the ongoing conflict in Ukraine, with the financial sector an obvious target for Russian cyberattacks in retaliation to the sanctions placed on the country by the Western world.

Yet, despite an increase in security threats, experts remain doubtful that the cloud providers the industry depends upon will willingly open up their operations, as they don’t fall under the Bank of England’s jurisdiction. Given the potential disruption, cloud service providers must work collaboratively with regulatory bodies to improve security and trust among customers. 

The digital transformation of banks

While the digitisation of the financial services industry has been bubbling over the past few decades, it was the pandemic that triggered a complete overhaul in the banking habits of the majority of everyday customers. High-street branch visits vanished overnight while people’s dependence on online banking sky-rocketed. This trend has continued, too - a recent survey by KPMG revealed that 20% of people haven’t visited a branch since the pandemic began. 

As part of this digital transformation process, banks have migrated their infrastructure to the cloud. Remarkably, their spending on cloud computing services is predicted to grow by more than 16% a year through 2024, compared with a 4.5% annual increase in banks’ overall IT budgets.

The surge in demand for digital technology, triggered largely by the pandemic, has caused an exponential rise in the number of cyber threats across industries, but none more so than the financial services sector. According to Kroll’s Threat Landscape Report, FinServ firms are one of the most heavily targeted for cyberattacks, accounting for 13% of all breaches.

Given this looming cybersecurity threat, regulators are rightly hastily working to ensure that financial services providers are able to protect their customers from any threats they may face by operating in the cloud, and it is cloud service providers' responsibility to comply.

Security risks posed by legacy infrastructure

Given the security concerns that regulators have expressed over cloud computing, many doubters question why banks continue to migrate to the cloud. In actuality, the risks associated with legacy infrastructure are far higher than any threats posed by the cloud.

The majority of legacy banking systems have been in operation for more than 30 years, with an estimated £2 trillion passing through them every single day. With such large sums of money dependent on antiquated systems, many banks have been hesitant to alter their infrastructure too heavily during their migration to the cloud and digitisation process.

However, it is common for legacy systems to be left unsupported by service providers and vendors, and on the rare occasion that a vendor does continue to support a legacy system, banks are faced with huge bills to keep them up and running. Not only is this costly but it is also highly inefficient, as the expertise on such legacy systems diminishes year on year.

On the other hand, cloud-first solutions have security measures built into the infrastructure and are therefore inherently more secure. These systems receive real-time updates and alerts, and engineering teams can produce patches and new features on the fly, ensuring that security vulnerabilities that occur can be rectified before any banking data is at risk. Cloud vendors constantly iterate on their solutions to ensure they are meeting the changing needs of their customers, especially those in financial services. Ultimately, flexibility is vital when building for the long term.

Cloud infrastructure also helps financial services firms have a better grasp of their compliance with regulations. For instance, cloud platforms allow banks to utilise numerous data centres with multi-region architecture, and provide the ability to failover swiftly should an outage or attack happen. When it comes to reporting, cloud infrastructure also enables the monitoring of which user has uploaded, viewed, and shared content, which can help financial services firms ensure compliance with data protection regulations, such as GDPR.

Regulation compliance is the way forward

The PRA’s recent focus on banks’ over-dependence on a handful of cloud service providers is to be encouraged. In the current threat landscape, security and compliance must be central to every cloud provider’s DNA, especially for banks, where public funds are at stake.

However, while certain service providers have instinctively repulsed the PRA’s proposals, there is a strong precedent to indicate that additional regulation actually improves security and customer trust in the long term. For instance, the EU’s GDPR law set in motion that businesses were responsible for protecting customers’ sensitive data, and it has worked.

By providing people with greater control over their personal data and simplifying processes for businesses, GDPR has provided a framework for how companies should act when data infringements arise. As a result, consumer confidence shot up by 62%, as people felt more in the custody of their data and privacy. The introduction of similar legislation for the cloud must be both contested and accommodated to ensure that positive results are achieved. 

With a growing dependence on technology and the migration to the cloud, as well as the increased risk of cyberattacks, having thorough regulations and preventative measures in place for the financial services sector to follow if a vulnerability does occur will ultimately help improve public trust. When it comes to cloud-based banking, regulation is the key to cloud migration.