REDUCING RISK FOLLOWING FCA GUIDELINES: THE RISE OF MULTI-CLOUD

Ben Saunders, VP Consulting EMEA at Contino

 

According to the Financial Conduct Authority (FCA) guidelines on outsourcing IT, firms must be able to “know how [they] would transition to an alternative service provider and maintain business continuity”.

For organisations that realise that the future of digital services belongs to the cloud but want to remain in line with key financial guidelines, this could mean only one thing: multi-cloud.

So, what do the regulations mean for your business’ multi-cloud? The guidance given by the FCA is trying to do one thing: reduce risk. This can be approached from four main angles: operational, concentration, data and exit risk.

 

Reducing Operational Risk 

The operational perspective is all about securing day-to-day operations. Key requirements to meet this include documented and tested risk assessments, skills and resources to mitigate risk and a documented business case justifying risks. The central pillar of an operational risk strategy must be a solid risk assessment.

This must identify all the critical or important functions that the financial institution provides (e.g. current accounts, payments, loans, credit cards, savings accounts) and the risks associated with these services (e.g. technical, financial, political etc.).

Your risk assessment must be documented and reviewed on a regular basis. All the risks that are identified must be assigned to someone to be accepted, managed or mitigated with a clear action plan, with a Material Risk Taker (MRT) wholly accountable for the risks identified as part of the overarching cloud strategy.

The key takeaway here is that many financial organisations, upon first adopting the cloud, struggle to fully understand how their core products, business service lines and customer journeys hang together architecturally. So, the starting point is always to understand the as-is state is and what your provisional to-be architecture could look like.

As a starter for ten, choose one business service line across each of your core product sets. Identify the components where value could be derived through the adoption of public cloud and establish a repeatable framework that can be used by other sections of the organisation.

 

Mitigating Concentration Risk 

Concentration risk is defined as “the reliance that firms themselves may have on any single provider.” It’s about making sure that you don’t put yourself in a situation where you have all your mission-critical eggs in one basket.

So, what do businesses need to do to mitigate concentration risk in the eyes of the FCA? They need to know the criticality of workloads in the cloud, know where these workloads are and test a plan for how you can transfer these to a different provider in the event of provider failure.

Regarding workloads, note that different requirements apply to different functions. Most important here is whether the function being outsourced is “critical or important”. A critical or important function is one whose failure would “materially impair the continuing compliance of a firm”. Undertake a discovery assessment so you know what workloads you have where and what level of material importance they carry.

 

When it comes to creating a tested plan for moving to a different provider, one suggested method is:

  1. Identify a small, low-risk workload in your organisations existing cloud that would make a good candidate for an experimental migration to a new cloud
  2. Execute the experimental low-risk migration
  3. Whether you fail or succeed: learn from what went well and what didn’t go so well
  4. Apply the lessons learned to the next experiment
  5. Continue experimenting, scaling the migration more widely each time
  6. Write up the results of your experiments into a documented strategy along with evidence of the experiments
  7. Consult with the FCA to see if they approve of your battle-tested strategy!

 

Being transparent is a crucial part of an effective engineering culture and here it applies as much externally as internally. Update the FCA frequently and ensure a tight feedback loop between them and your cloud teams.

 

Reduce Data and Security Risk 

How you approach data and security are critical when it comes to reducing risk. Firms “should carry out a security risk assessment that includes the service provider and the technology assets administered by the firm … [c]onsider data sensitivity and how the data are transmitted, stored and encrypted, where necessary”.

Regarding security readiness for public cloud, a poorly thought-out method is taking existing ‘on-premise’ security and compliance controls and enforcing them in a cloud environment.

As part of a cloud adoption strategy, businesses should consider which of your existing security controls should be adopted, which should be adapted, and which should be retired. Using frameworks such as the Cloud Security Alliance (CSA), Centre for Internet Security (CIS) and National Institute for Standards Technology (NIST) and embedding these using practices such as compliance-as-code will provide organisations with a consistent security pattern that can be applied across each of the major cloud providers, in turn establishing a heterogeneous way of handling security in the cloud.

Regarding data, it’s important to build a view of data tiering and sensitivity of data you’re prepared to push into cloud. This assessment must be wide reaching and include a data residency policy, a data loss strategy, and a data segregation strategy.

 

Reduce Exit Risk

 What if you need to leave a cloud? Your organisation needs to be prepared. Regulations make it clear that you need a documented and tested exit strategy that will, crucially, enable you to meet the regulated level of service for a given workload.

Say, for example, that you had a critical payments system that regulations mandated be 99.99999% available, with a recovery point objective of zero. Your exit strategy would have to ensure that you can still meet this level of service, while you exit your cloud provider.

Achieving this goes back to having really good configuration management practices and architectural principles. No one wants to deal with a monolithic app here! Make sure all applications are as modular as possible, which will support incremental migration patterns to maintain system uptime.

Critical here is that when you are in negotiations with a cloud service provider that you have a contractual agreement in place that guarantees that they will help you to exit with minimal disruption and provide you with the required support to do so.

Most financial institutions are already considering embarking on a multi-cloud journey, however the FCA guidelines should be the prompt everyone needs to really get started. If organisations consider operational, concentration, data and exit risk, they can meet the FCA guidelines and ensure they are running a dependable, profitable and forward-thinking operation.

 

spot_img

Explore more