Finance’s big tech problem | Financial Times

The Bank of International Settlements thinks Big Tech has become too big to fail.

In a paper published on Tuesday, the central banker’s central bank argues that a growing reliance among financial institutions on cloud computing software supplied by a handful of companies could have “systemic implications for the financial system”.

© Bank of International Settlements

The market for cloud computing software walks and quacks like an oligopoly, with Amazon Web Services, Microsoft Azure, Google Cloud and Alibaba Cloud accounting for around 70 per cent of global revenues.

Estimates for 2021 Q4 © Synergy Research Group

Around eight in ten financial institutions worldwide now use some form of public cloud, whether to boost computing capacity, better detect fraud or scale up security.

© Bank of England

Results are far from guaranteed, however. A hacker who gained access to a Shanghai police database with personal data on 1bn people said, per the FT’s report on Tuesday, that the information had been retrieved from a private cloud service provided by Alibaba.

Reiterating previous warnings from the Bank of England and others, BIS says that finance’s growing dependency on cloud computing “is forming single points of failure, and hence creating new forms of concentration risk at the technology services level.”

The BIS paper draws from a separate study by the European Securities and Markets Authority released in May, in which authors Carolina Asensio, Antoine Bouveret and Alexander Harris explain:

Given the limited number of [cloud service providers] that can meet the high standards of resiliency requirements that financial institutions demand, it is plausible that a sufficiently large number of them become dependent on a small number of CSPs. This implies that operational incidents may become more correlated among those financial institutions that outsource critical or important functions to a common CSP. Even though cloud computing may yield increased data security and operational resilience at firm level, it could also increase the risk of simultaneous incidents among several firms and lead to potential negative outcomes for financial stability (Danielsson and Macrae, 2019; FSB, 2019). Concentration risk in this context is thus a form of systemic risk

What would happen, for example, if a leading CSP suddenly went bankrupt?

Cyber attacks, too, pose an obvious threat. The 2020 SolarWinds hack on Microsoft’s cloud service is a case in point. Simply inserting “a few benign-looking lines of code” into Microsoft’s operating system allowed hackers to “operate unfettered” across compromised networks, the company admitted at the time.

The Federal Reserve Bank of New York said last year that a cyber attack impairing a bank’s ability to send payments would quickly ripple through the wider system (emphasis our own):

“If a number of small or midsize banks are connected through a shared vulnerability, such as a significant service provider, this could result in the transmission of a shock throughout the network. Similarly, banks with a relatively small amount of assets but large payment flows also have the potential to impair the system”

To protect against such intrusions, the European Securities and Markets Authority recommends that financial institutions use multiple CSPs for each service they provide. Multi-cloud solutions “may significantly reduce systemic risk,” it says. But . . . 

. . . . this will only happen, however, if the different CSPs or groups of resources have low common vulnerabilities (i.e. can reasonably be treated as independent) and if the services in question are rapidly portable between them. In reality, the first of these assumptions (independence of CSP outages) may not hold in certain circumstances, especially within a single cloud provider, while the second assumption (back-up portability) may not hold especially for back-up strategies that use different providers.

Policymakers intent on outsourcing highly sensitive data to whichever CSP offers most should take note.