The Bank of International Settlements thinks that Big Tech has become too big to fail.
In a newspaper Published Tuesday, the central bank’s central bank argues that a growing reliance by financial institutions on cloud computing software provided by a handful of companies could have “systemic implications for the financial system.”
© Bank for International Settlements
The cloud computing software market is running and quacking like an oligopoly, with Amazon Web Services, Microsoft Azure, Google Cloud and Alibaba Cloud accounting for about 70 percent of global revenues.
Estimates for 2021 Q4 © Synergy Research Group
About eight in ten financial institutions worldwide now use some form of public cloud, whether it’s to increase computing power, better detect fraud, or scale security.
© Bank of England
However, results are far from guaranteed. A hacker who gained access to a Shanghai police database containing personal details of 1 billion people said: according to the report of the FT on Tuesday, that the information was retrieved from an Alibaba private cloud service.
to repeat previous warnings of the Bank of England and others, BIS says finance’s growing reliance on cloud computing “constitutes single points of failure, thus creating new forms of concentration risk at the technology services level.”
The BIS paper draws from a separate study by the European Securities and Markets Authority released in May, in which authors Carolina Asensio, Antoine Bouveret and Alexander Harris explain:
Given the limited number [cloud service providers] that can meet the high resilience requirements of financial institutions, it is likely that a sufficiently large number of them will become dependent on a small number of CSPs. This means that operational incidents can become more correlated between those financial institutions that outsource critical or important functions to a common CSP. While cloud computing can provide greater data security and operational resilience at the enterprise level, it can also increase the risk of simultaneous incidents between different companies and lead to potentially negative outcomes for financial stability (Danielsson and Macrae, 2019; FSB, 2019). Concentration risk in this context is therefore a form of systemic risk
For example, what would happen if a leading CSP suddenly went bankrupt?
Cyber attacks also pose a clear threat. The 2020 SolarWinds Hack on Microsoft’s cloud service is a good example of this. By simply inserting “a few good-looking lines of code” into Microsoft’s operating system, hackers could operate “untethered” over compromised networks, the company admitted at the time.
The Federal Reserve Bank of New York said: last year that a cyberattack affecting a bank’s ability to send payments would quickly move through the wider system (emphasis ours):
“If a number of small or medium-sized banks are connected through a shared vulnerability, like a major service provider, this may result in the transmission of a shock throughout the network. Likewise, banks with a relatively small amount of assets but large payment flows also have the potential to compromise the system.”
To protect against such breaches, the European Securities and Markets Authority recommends that financial institutions use multiple CSPs for each service they provide. Multi-cloud solutions “can significantly reduce systemic risk,” it says. But . † †
† † † † however, this will only happen if the different CSPs or groups of resources have low common vulnerabilities (ie can be treated reasonably as independent) and if the affected services can be transferred quickly between them. In reality, the first of these assumptions (independence from CSP failures) may not hold true in certain circumstances, especially within a single cloud provider, while the second assumption (backup portability) is not specific to backup strategies that different providers use. .
Policymakers want to outsource highly sensitive data you should take into account which CSP offers the most.