The great technological problem of finance | FinancialTimes
The Bank for International Settlements thinks Big Tech has become too big to fail.
In an article published on Tuesday, the central banker’s central bank says that a growing reliance by financial institutions on cloud computing software provided by a handful of companies could have “systemic implications for the financial system”.
The cloud computing software market operates as an oligopoly, with Amazon Web Services, Microsoft Azure, Google Cloud, and Alibaba Cloud accounting for around 70% of global revenue.
About eight out of ten financial institutions worldwide now use some form of public cloud, whether to increase computing capacity, better detect fraud or enhance security.
The results, however, are far from guaranteed. A hacker who gained access to a Shanghai police database containing personal data of 1 billion people said, according to the FT report on Tuesday, the information was retrieved from a cloud service private provided by Alibaba.
Reiterating previous warnings from the Bank of England and others, the BIS says finance’s growing reliance on cloud computing is “forming single points of failure and therefore creating new forms of concentration risk at the level of technological services”.
The BIS article builds on a separate study by the European Securities and Markets Authority published in May, in which authors Carolina Asensio, Antoine Bouveret and Alexander Harris explain:
Given the limited number of [cloud service providers] that can meet the high standards of resilience requirements demanded by financial institutions, it is plausible that a large enough number of them will become dependent on a small number of CSPs. This implies that operational incidents may become more correlated among financial institutions that outsource critical or important functions to a common CSP. While cloud computing can increase enterprise-level data security and operational resilience, it could also increase the risk of simultaneous incidents between multiple enterprises and lead to potential negative consequences for financial stability (Danielsson et al. Macrae, 2019; FSB, 2019). Concentration risk in this context is therefore a form of systemic risk.
What would happen, for example, if a leading CSP suddenly went bankrupt?
Cyberattacks are also an obvious threat. An example of this is the SolarWinds 2020 hack on Microsoft’s cloud service. Simply inserting “a few benign-looking lines of code” into Microsoft’s operating system allowed hackers “to operate unhindered” on compromised networks, the company admitted at the time.
The Federal Reserve Bank of New York said last year that a cyberattack affecting a bank’s ability to send payments would quickly ripple throughout the entire system (emphasis ours):
“If a number of small or medium banks are connected through a common vulnerability, as a major service provider, this could cause a shock to be transmitted throughout the network. Similarly, banks with a relatively small amount of assets but large payment flows also have the potential to harm the system”
To protect against such intrusions, the European Securities and Markets Authority recommends that financial institutions use multiple CSPs for each service they provide. Multi-cloud solutions “can dramatically reduce systemic risk,” he says. But . . .
. . . . however, this will only happen if the different CSPs or resource groups have low common vulnerabilities (i.e. can reasonably be treated as independent) and if the services in question are rapidly portable between them. In reality, the first of these assumptions (CSP failure independence) may not hold in some circumstances, especially within a single cloud provider, while the second assumption (backup portability) may not hold, especially for backup strategies that use different providers.
Decision makers looking to outsource highly sensitive data to the most important CSP offering should take note.