Two’s company, three’s a cloud…, Luke Stubbs – Shoosmiths legal updates


There have been stories circulating for a while now that financial regulators, while recognising that many firms are adopting a ‘cloud-first’ approach to their IT arrangements (and trying to ‘enable’ cloud use through regulation – albeit with mixed results), are still concerned. 

A key worry is ‘concentration risk’ – the idea that, given the landscape of the market, a large number of cloud based services and systems are ultimately hosted by only a handful of very large suppliers. Granted one company might supply a service, using a cloud platform they have bought from another, but (in many cases) at the end of that cloud hosting chain sits a big vendor such as Microsoft, Amazon, or Google. 

A recurring question is ‘what if [INSERT LARGE VENDOR] collapses or is subject to a cyber attack whilst a firm’s system is hosted by them’.  It’s a good question. In the wrong circumstances it could threaten an individual firm. In a ‘worst case’ scenario, it could have an effect on the financial system. Another surrounds how regulators, with firms storing more and more systems, services, and data with third parties, can still get effective access to those to be able to perform oversight. 

These questions are not new and in recent years there has been more regulation and guidance issued on outsourcing of material functions and use of the cloud. By the end of March this year, UK regulated firms are expected to have made sure that all their contracts (including pre-existing ones) for relevant services include protections on issues such as audit and business continuity. Under the new ‘Operational Resilience’ regime introduced by the UK Prudential Regulation Authority and Financial Conduct Authority  firms should now be mapping their operations to understand where the potential threats are to continuity of their business. 

However, to date the rules have focussed on the firms – largely giving them general principles and outcomes to meet and then leaving it to them to negotiate with suppliers, or put in place fallback arrangements. There have been little or no prescribed contract terms (which if included in a contract would satisfy the regulator) or direct rules imposed by financial regulators on relevant suppliers to the industry. Whilst Data Protection regulation has come close to this  – providing prescribed terms and imposing direct obligations on “processors” – Financial Services regulators have so far not.

The signs are that the UK regulators may be looking to increase their oversight of (certainly the larger) cloud providers. Although the form of that remains to be seen. 

While at Shoosmiths we have created contract terms designed to meet the various regulatory requirements imposed on firms, it will be interesting to see if regulators take the bold step of directly applying rules to the suppliers, or even providing ‘authorised’ contract terms to be used by both parties. 


More posts by Luke Stubbs

Recent posts from Shoosmiths