Regulatory change on the horizon: UK regulators will soon have powers over large cloud service providers
Regulators around the world are voicing their concerns more and more relating to the reliance on some big tech cloud providers by banks and other major businesses. These include providers such as Amazon, Microsoft and Google. Cyber rules and regulations need to be improved upon and regulatory change needs to take place - regulators must have oversight of these providers.
During 2021, the BoE Financial Policy Committee expressed criticism of the obscure nature of cloud contracts. They said that because there is a significant reliance on just a handful of cloud service providers, it could raise certain financial stability risks if there wasn’t improved regulatory oversight relating to the resilience of the services they offer.
During 2020, HM Treasury found that almost 70% of UK firms made use of the largest four cloud providers – IBM, Amazon, Google and Microsoft. This has raised further concern.
In the event of service disruption or hacks, where does this leave businesses and key banks?
More vulnerable to data breaches.
Firms should have processes in place as back-up should data breaches, no matter how big or small, occur. However, this is not always the case.
Enter the Critical Third Party Regime
With concerns at an all time high, the proposed Critical Third Party Regime would come into play. Under this regime, HM Treasury would consult with financial regulators and be able to deem selected third parties as “critical”. Financial regulators will also be able to proactively recommend that a third party be labelled “critical” depending on their analysis. Once a third party is determined in this way via the designation framework set out within the primary legislation, the designation will be made by secondary legislation.
Following the designation, financial regulators will have the power to oversee, make rules, and act in certain respects relating to the service that the third party provides to the finance sector.
Financial regulators will also be granted the power to decide whether resilience standards are being met, this includes having the ability to:
Appoint an investigator to explore possible breaches under the legislation
Request information directly from the critical third party relating to their resilience in respect of material services to firms
Interview a representative from the third party and request the production of documents
Assign an independent “skilled person” to investigate specific aspects of the service being provided
Gain entry to a critical third party’s offices under warrant
A joint Discussion Paper will be published and, amongst other outcomes, will explore the potential ways that the financial regulators will align the exercise of their powers with financial regulators abroad, as well as with those outside the financial services sector.