A few years ago, regulators – including the UK’s Financial Conduct Authority [FCA] scrutinised asset managers’ outsourcing arrangements, highlighting repeatedly that improvements were necessitated – especially around their contingency plans for a service provider failure. Although asset managers have since implemented more robust systems and backup procedures to properly insulate themselves against the failure of a critical third-party, concerns are mounting that the industry is missing some glaring risks-namely around cloud service providers [CSPs].
CSPs are used by a wide array of financial institutions – including banks and asset managers. To their proponents, CSPs are an effective way for asset managers to reduce their IT costs, realise economies of scale and increase operational resilience – the latter being a massive selling point in a post-COVID-19 world. At a time when margins are shrinking, CSPs can provide efficiencies at asset managers enabling firms to redeploy more internal resources to revenue-generating and client-facing activities. While CSPs confer many benefits for fund managers, they are not without risks, something which regulators such as ESMA[European Securities and Markets Authority]are becoming more attuned to.
So what are the main issues around CSPs? Research shows that three providers – Amazon World Service, Google and Microsoft – control 60% of the CSP market suggesting very high levels of concentration risk. An outage or failure at one or more of these CSPs could pose huge operational and technological challenges for their underlying clients. ESMA warns “migrating to the cloud….can also raise challenges at the firm level in terms of governance, data protection and information security. Operational risks are also relevant as they result from inadequacies or failures of internal processes, people, and systems, or from external events, and they may impact financial institutions in different ways. For instance, data losses could happen due to failures, deletion or disasters that occur at CSPs, or when CSPs outsource some of their functions to third parties, or ‘fourth parties’. Cyber risk is also important to consider, as massive amounts of data are stored in cloud ecosystems. ‘Vendor lock-in’ is also relevant when financial institutions rely strongly on the services of one CSP,” reads ESMA’s report.
While COVID-19 has reinforced the importance of technology, it has also simultaneously illustrated how vulnerable the financial services industry is too disruptive events of all stripes – including technology outages. The European Commission, in particular, has started to pay more attention to digital resiliency, namely IT risk management, incident reporting and IT third party risk with the publication of DORA [the Proposal for a Regulation on digital operational resilience for the financial sector]. This is something asset managers will need to be cognisant of. It is not just regulators who are examining asset managers’ CSP and third party IT arrangements, but so too are institutional investors. It is vital asset managers can demonstrate they have an excellent understanding of IT and CSP risk.