Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

Kris Sharma
on 14 November 2022

How can the financial services sector tackle cloud concentration risk?

The use of cloud computing by financial institutions has significantly increased in the last few years, a trend that was further accelerated by the COVID-19 pandemic. In the next few years, financial institutions will need to continuously balance the pressure to innovate quickly while managing risk and combating financial crime.  According to Synergy Research Group, the four biggest cloud service providers (CSPs), Amazon Web Services, Microsoft Azure, Google Cloud and Alibaba Cloud, account for around 70% of cloud computing global revenues. As financial institutions continue to consume more cloud computing services from the same pool of CSPs, there is a systemic risk that a significant portion of the world’s banking services will be concentrated on a few public cloud platforms.

Why is cloud concentration risky?

The big CSPs have suffered outages in recent years. The stakes for financial institutions rise exponentially if there is a service interruption at a CSP, as they begin to run more of their critical business functions in the public cloud. A report from Lloyd’s of London and AIR Worldwide provides some insight and estimates on the potential losses from a major cloud services outage and these are large numbers. According to the report, an outage at one of the top three public cloud providers in the U.S. for three to six days, could result in total losses of up to $15 billion. 
In addition, there are many smaller and mid-sized financial institutions that outsource critical banking infrastructure and services to few ‘software-as-a-service’ big tech firms that usually tend to run on a single cloud platform. This can result in cascading problems across thousands of institutions in the event of an outage at one of these big CSPs. 

How can financial institutions tackle this risk? 

There are a few risk mitigation measures finserv organisations can take. Let’s explore them here:

Adopt hybrid multi-cloud strategy

Moving to a hybrid multi-cloud approach where data and applications are distributed across multiple CSPs simultaneously. This increases performance, application resiliency and reduces the risks of relying on one cloud platform provider. In the event of an infrastructure meltdown or cyberattack, a multi-cloud environment can provide financial institutions the ability to switch providers and to back up their data.

Build an outsourcing register

  • The financial regulators in every country will need powers that allow them to set requirements and expectations on financial institutions to develop and implement an operational resilience framework. This will need to consider both firm-specific and systemic cloud concentration risks.
  • The financial institutions should be required to ensure that their contractual arrangements with CSPs allow them to comply with their operational resilience framework that includes areas such as data security, business continuity and application resiliency.
  • Regulatory authorities will require financial institutions to periodically report all functions outsourced to the cloud. Financial institutions should gradually build an ‘outsourcing register’ to track critical business processes and functions that are reliant on CSPs.

Build a compliant and secure software supply chain

In order to safeguard the financial system from evolving cyber-risks, vulnerabilities will have to be identified and addressed at the lowest common denominator – operating system and application software packages need to have long-term security patching and updates. As an example, Ubuntu Pro (currently in public beta) from Canonical provides 10 year security coverage for thousands of open source packages beyond the main operating system. 

Transformative innovations in financial services will require financial institutions to build modular, cloud-native applications utilising cloud computing infrastructure and services from CSPs. It is imperative that financial institutions innovate without compromising on compliance, security and support requirements that shall mitigate cloud concentration risks to a certain extent. 

Financial institutions will have to work closely with big CSPs and their supply chains to ensure that there is non-stop security for critical, high, and medium Common Vulnerabilities and Exposures (CVEs) with expanded coverage for more software packages that are used by financial services applications. 

In order to analyse the financial stability risks associated with cloud concentration risk, there is a need to understand the linkage dependencies between CSPs, their supply chain and financial institutions. Financial institutions will need a unified security and governance framework to identify, monitor and address crucial issues in data management that are critical for management of risk exposure across hybrid multi-cloud environments.


In the next few years, financial institutions will continue to adopt new technologies, including the use of public cloud computing to keep up with regulatory and industry demands.  

To address cloud concentration risk while managing the demands of digital transformation, legacy modernisation, competition and regulatory compliance, one of the big levers that financial institutions could use is to adopt hybrid multi-cloud strategies. This approach will help financial institutions to have a unified and consistent approach to infrastructure management, reduce risk and address regulatory compliance challenges, unlock innovation and extend geographic reach while at the same time reducing the cost of unused digital capacity. All the while, they should build an outsourcing register to take heed of cloud concentration risks and keep a closer eye on security and software provenance.

To discuss the options for addressing cloud concentration risk

Get in touch

Further reading:

Image by on Freepik

Related posts

Kris Sharma
21 November 2022

Empowering developers in financial services with desktop as a service

Financial Services Article

The pandemic has accelerated the trend toward remote working environments but it also pushed governance and security issues to the top of the priority list for IT departments within financial institutions. Employees, and developers in particular, need the technological agility to work remotely given the hybrid workplace model being adopte ...

Kris Sharma
7 February 2023

Secure open source MLOps for AI/ML applications in financial services

Financial Services Article

The adoption of AI/ML in financial services is increasing as companies seek to drive more robust, data-driven decision processes as part of their digital transformation journey. For global banking, McKinsey estimates that AI technologies could potentially deliver up to $1 trillion of additional value each year. But productionising machine ...

Kris Sharma
13 December 2022

Open source in financial services – start with a strong foundation

Financial Services Article

Financial Institutions (FIs) need to respond with agility and business velocity to keep pace with changing economic conditions. Yet, emerging competition from fintechs and challenger banks and increasing customer expectations is making this task difficult, especially as regulatory and compliance requirements increase. Embracing the next p ...