Managing cloud risk – some considerations for the oversight of critical cloud service providers in the financial sector
Financial firms' use of the cloud, including for their critical services, has been increasing over the years and is expected to continue to do so. Once a significant level of critical services has moved to the cloud, a major operational disruption at a cloud service provider (CSP) could interrupt the delivery of these services and hence have systemic implications. This is exacerbated by the predominance of a few CSPs at the global level. However, the prevalent regulatory approach, in which individual financial firms are expected to manage their third-party risks, does not take a systemic view. This paper identifies some considerations for potential oversight frameworks for critical CSPs that take into account their potential systemic importance, as well as the cross-sectoral and cross-border nature of their operations.
JEL classification: G20, G28, O38
Keywords: cloud service provider, critical CSP