Business Continuity is Dead, Long Live Business Continuity
Correct me if I'm wrong, but I think this might be the first time that a regulator has directly addressed security issues surrounding cloud computing. How many conferences have we been to where we've talked about data location, security, mission critical versus non-mission critical, client key information and all the rest? Fear not, gentle readers, the Federal Financial Institutions Examination Council (FFIEC, to its friends) is on it.
In a paper released on 10 July, Outsourced Cloud Computing, FFIEC broadly defines cloud in this sense as the third-party provision of applications, infrastructure or services, placing it firmly into the outsourcing category. As such, it says, financial institutions should be aware of FFIEC guidelines in this space, such as fundamental risk and risk management.
Due diligence, vendor management, auditing, information security and legal, regulatory and reputational concerns are all covered. While fun to see it codified in such depth by a regulator, it's really nothing new. Having covered this space ad nauseam for a long time, it's clear to me that all of this is understood by most financial institutions. Most competent financial institutions and firms, of course, not the guy who was nicked by the SEC a few weeks ago for selling trading strategies based on the movements of the moon.
Cloud Continuity
Most of this will be covered in any decent service level agreement, of course, and the vendor sector are pretty hot on this. Uptime, redundancy, information security and all of those good things are, traditionally, concerns on the part of the service provider. However, the FFEIC makes a good point that you can't just label things as ‘outsourced' and, suddenly, responsibility vanishes.
For all of its good points, and all that it facilitates, technology is fallible. And firms shouldn't make the assumption that, just because cloud offers a streamlined front end, it's not as convoluted in terms of infrastructure as other, more traditional, systems. Falling into the complexity trap, as we've seen in recent weeks, is easy to do, as Randy Clark, chief marketing officer at UC4 Software, told me last week when we were discussing the NatWest situation. Not strictly related to cloud continuity, of course, but the essential points about complexity are just as relevant.
Uptime, redundancy, information security and all of those good things are, traditionally, concerns on the part of the service provider. However, the FFEIC makes a good point that you can't just label things as ‘outsourced' and, suddenly, responsibility vanishes.
"Complex systems fail in creative ways; this is why it took so long to find the root of the problem," he said. "Like the rest of banking, the IT got so complicated that the people using it didn't even understand it. The solution to complexity is always simplicity. Break the problem down and keep it simple. To get control of this complexity and head off the risk of failure, IT teams in banks need to architect their systems for web-scale. More standard, simpler and scalable levels of abstraction are what are needed. This kind of re-organization of IT isn't new - we did it going from mainframes to distributed computing. However, as usual, this time it's happening faster with bigger consequences."
The Right Approach
That's why, I think, it's good to see a regulator taking the lead on this. It might be old news, and conversations about this may have been batted around hotels in New York, London, Singapore and Paris for years, but the first step towards a common approach is always discussion.
In actual fact, I personally believe that cloud is probably the future of areas such as business continuity planning. I'm not alone in that either. I had a discussion with Justin Wheatley, CEO of StatPro a few weeks ago about cloud stability and continuity processes, among other things. Clearly, there's a vested interest in extolling the virtues of cloud there, but he made a few good points about information security.
"Some people are concerned about the level of security on the cloud but I think that cloud computing is, by its very definition, a better and more secure approach," he explained. "In a centralized system, users are given access to come in and look, but they can't take the data away or send it down a wire. The information isn't going anywhere, it's staying in one place. Structurally, it's a more secure concept than the one of sending information all over the place."
Let's not forget the ability to cross computing networks with each when one goes down, the lack of geographical reliance and other areas, and the benefits of cloud become apparent. The FFIEC's point, however, is that individual responsibility remains key, and that's the truth regardless of what kind of outsourcing you engage in.
Do you want to talk outsourcing, cloud, the endless amount of rain in London and the brief, torturous moments of sunshine, or anything else? Give me a call on +44207 316 9811 or an e-mail on james.rundle@incisivemedia.com.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@waterstechnology.com
More on Regulation
The SEC needs a hand with artificial intelligence
The SEC wants to take a tough stance on AI, but it has a talent problem… or a marketing problem. Or both…
Off-channel messaging (and regulators) still a massive headache for banks
Waters Wrap: Anthony wonders why US regulators are waging a war using fines, while European regulators have chosen a less draconian path.
Banks fret over vendor contracts as Dora deadline looms
Thousands of vendor contracts will need repapering to comply with EU’s new digital resilience rules
Chevron’s absence leaves questions for elusive AI regulation in US
The US Supreme Court’s decision to overturn the Chevron deference presents unique considerations for potential AI rules.
Aussie asset managers struggle to meet ‘bank-like’ collateral, margin obligations
New margin and collateral requirements imposed by UMR and its regulator, Apra, are forcing buy-side firms to find tools to help.
The costly sanctions risks hiding in your supply chain
In an age of geopolitical instability and rising fines, financial firms need to dig deep into the securities they invest in and the issuing company’s network of suppliers and associates.
Industry associations say ECB cloud guidelines clash with EU’s Dora
Responses from industry participants on the European Central Bank’s guidelines are expected in the coming weeks.
Regulators recommend Figi over Cusip, Isin for reporting in FDTA proposal
Another contentious battle in the world of identifiers pits the Figi against Cusip and the Isin, with regulators including the Fed, the SEC, and the CFTC so far backing the Figi.