Cloud computing dependence imperils banks

By adopting cloud computing technology to make their systems accessible from multiple locations, financial services companies are launching new, improved digital products and streamlining their operations. But, at the same time, cyber specialists are warning that this cloud migration is exposing companies to a greater risk of cyber attacks and data breaches — as well as the fines and reputational damage they can bring.

In July, the Bank for International Settlements said that the financial sector’s increased reliance on cloud computing was “forming single points of failure” and “creating new forms of concentration risk at the technology services level”.

This was a reference to the fact that the vast majority of financial institutions use cloud computing services from the same major providers. Bank of England research in 2020 found that more than 65 per cent of UK-based banks and insurers relied on just four cloud services.

The Federal Reserve Bank of New York has also previously warned about the “transmission of a shock throughout the network” should financial services be “connected through a shared vulnerability”.

Cyber experts have already witnessed the impact this can have. Milad Aslaner, head of the technology advisory group at cyber security group SentinelOne, warns that dependence on a single cloud vendor increases cyber risk “exponentially” for financial companies.

A breach in any of the major service providers would very quickly result in market turmoil

“We’ve seen how businesses can be seriously compromised by global outages and cyber attacks on cloud service providers like Microsoft or Amazon Web Services,” notes Aslaner, a former principal product manager at Microsoft.

Cyber criminals can gain “direct access to the entire digital estate of an organisation” and “operate completely in the shadows” if they successfully hack a cloud system offered by a commonly used vendor. “It’s a dangerous misconception that cloud service providers are the ones solely responsible for cloud security,” says Aslaner. “In reality, there is a shared responsibility model between the CSP and the organisation.”

The UK’s National Cyber Security Centre provides advice for selecting, deploying and using cloud services in a secure manner. But, because financial companies are a “chief target for cyber criminals”, they should also develop an IT security and risk programme for their cloud usage and other operations, advises Aslaner. This must include the cyber risks of people, processes and technologies, he explains.

The cost of cyber attacks to financial businesses is high, warns Prakash Pattni, managing director of digital transformation at IBM Cloud for Financial Services.

“The financial services industry paid the second-highest price [behind healthcare] for data breaches last year, averaging $5.97mn,” he says. “In today’s fast-moving digital economy, it’s one of, if not the, biggest threat for the industry.”

Pattni advises financial services companies to embrace a hybrid approach — distributing workloads across on-premises, public, and private clouds — to decrease cyber risk.

“We work with 19 of the top 20 Fortune 500 banks,” he says. “While malicious attacks cannot always be avoided, a secure, hybrid cloud environment can help mitigate risk and reduce vulnerabilities,” he says. This, he adds, can include the use of industry-specific clouds with built-in security and compliance controls.

Steve Newson, chief technology officer at Starling Bank, explains that, since it launched in 2014, it has “deployed its systems and services across multiple clouds” so that it is not dependent on one provider.

He says this ensures the bank’s sensitive data is backed up right around the clock, decreasing the “impact of outages on the bank and the people that bank with us”.

However, some industry experts remain sceptical about the benefits of multi-cloud approaches. Lydia Leong, an analyst at research company Gartner, argues that they are expensive, stifle innovation, and ultimately make it harder for organisations to use cloud services because they are more complex and costly. This approach “destroys much of the business case for using the cloud”, she says.

Switching between their services also creates huge risk for financial businesses, adds Jake Moore, global cyber security adviser at security software company ESET.

“Such technology serves a great purpose but must not be relied on solely should something go wrong,” he says. “Contingency in business is key to its success and cyber security needs to work in silo with this mantra.”

Moore warns financial companies to watch out for distributed denial-of-service (DDoS) attacks, in particular. These flood online services with large volumes of dubious traffic and render them unusable.

“Multiple DDoS attacks in huge numbers have attacked international companies in the past 12 months,” he says. “Such impact could force banks offline should cyber criminals decide to infiltrate the finance industry with great force.” But he adds that cloud platforms can work together to withstand such inevitable attacks.

Regardless of the cloud approach taken, financial groups need to be alive to the threats. Mark Brown, global managing director for digital trust consulting at the British Standards Institution, says: “The potential risks are severe, as a cyber breach or failure of availability in any of the major cloud service providers would very quickly result in market turmoil.  

“Organisations and individual traders alike would be unable to function — not least given their inability to react to time-sensitive information, resulting in financial market instability and potentially devastating macroeconomic impacts.”