Britain’s finance ministry has announced that it will have the power to make onsite visits to major cloud computing firms such as Amazon, Google, and Microsoft, which provide “critical” services to financial firms in the UK.
The ministry noted that greater oversight from the Bank of England was necessary because of the UK finance industry’s increasing reliance on these major cloud providers, as they transform their businesses and switch to cloud computing. In 2020, over 65% of British companies used the same four cloud providers.
This broad-based dependence on a few key cloud industry players could raise the costs to businesses in the UK, should any of these major cloud service providers be hacked or compromised.
Call to Address “Secretive and Opaque” Contract Terms
In 2021, the Bank of England (BOE) had already expressed concerns that cloud providers’ contract terms tended to be secretive and opaque, and called for standards to ensure the security and resilience of cloud companies’ services.
Following up on these concerns, the British finance ministry proposed to identify “critical” outsourced services provided by major cloud industry players, and bring these services under the direct supervision of the BOE and the Finance Conduct Authority.
Other proposals within the British Treasury statement included allowing financial regulators to set minimum resilience standards which third parties would be “directly required to meet in respect of any material services that they provide to the UK finance sector.”
Furthermore, secondary legislation backed the British finance ministry’s designation, allowing regulators to make rules on the provision of services, make onsite inspections, and take enforcement action. These proposed regulations, if enacted, would “reduce the risk of systemic disruption” to Britain’s finance sector.
Increased Government Regulation on Cloud Computing
The British finance ministry’s move towards greater oversight over major cloud companies aligns with a broader trend of state oversight which may be observed around the world.
For instance, the European Union reached provisional agreement on a set of rules formally known as the Digital Operational Resilience Act (DORA) in May 2022, to strengthen the IT security of financial entities by setting uniform requirements for the security of firms and cloud providers’ network and information systems.
While government regulation targeting large cloud companies is not a new idea, in recent years governments have increased their momentum in taking action to address security concerns about cloud usage, especially since several firms around the world are embarking on digital transformation and cloud upscaling.