We see more and more regulatory comments on multi-cloud solutions. As a result, particularly financial institutions are asking for multi-cloud workflows (e.g. AWS and Azure), instead of single-cloud providers. If you also experience increased requests by regulatory bodies on multi-cloud deployments (or just would like to provide some comments), please share your feedback.
Examples of regulator statements:
In July, the Bank for International Settlements said that the financial sector‘s increased resilience on cloud computing was ‘forming single point of failure’ and ‘creating new forms of concentration risk at the technology services level’.
The Federal Reserve Bank of New York also warned about the ‘transmission of a shock throughout the network’ should financial services be ‘connected through a shared vulnerability’.
Monetary Authority of Singapore states: ‘Cloud workloads could also be deployed in multiple geographically separated data centers (e.g. ‘zones’ or ‘regions’) to mitigate location-specific issues that may disrupt the delivery of public cloud services. ’ Furthermore, it is stated: ‘To mitigate CSP concentration risks, FIs may consider implementing vendor diversity.’
EU passed Digital Operational Resilience Act (DORA), defines ICT Concentration Risk: ‘ICT concentration risk means an exposure to individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of the latter may potentially endanger the ability of a financial entity, and ultimately of the Union’s financial system as a whole, to deliver critical functions, or to suffer other type of adverse effects, including large losses. ’
Moreover, the following is stated: ‘Financial entities shall weigh the benefits and costs of alternative solutions, such as the use of different ICT third-party service providers, taking into account if and how envisaged solutions match the business needs and objectives set out in their digital resilience strategy.’