A strange thing happened one afternoon last winter: at 2:30 p.m. on December 7th, robot vacuum cleaners across the US fell silent, electronic grocery carts were cancelled, and Adele fans raged at Ticketmaster as her concert ticket sales were postponed. Netflix crashed. So is Spotify. Duolingo. Tinder. Even some news sites.
All of the issues were rooted in one thing: an outage at an Amazon Web Services data center in northern Virginia.
Adam Selipsky, chief executive of AWS, told the Financial Times that the incident was “incredibly distressing”. But what was merely an irritant for many could be much more serious for large parts of the financial system.
A lasting legacy of the pandemic is the rapid migration of banks and other financial institutions to the cloud. With promises of greater speed and efficiency, many are increasingly performing everything from file sharing to fraud detection on a handful of servers controlled by Big Tech. In 2020, AWS struck a deal with HSBC, while Google has brokered similar partnerships with Goldman Sachs and Deutsche Bank.
The governor of the Bank of England, Andrew Bailey, has warned of the “secrecy and opacity” of these cloud deals, which make it difficult to assess the risks they pose. He admitted that regulation has failed to keep pace with innovation.
“This is no longer something that happens on the periphery of banks’ systems – for example with HR systems,” said Sam Woods, deputy governor for prudential regulation at the BoE.
“What we have now is moving [into the cloud] they are things that are much more integral to the functioning of banks, which could lead to safety and soundness.”
Gavin Goveia, a partner at Deloitte who is helping a client move all its financial applications to Google Cloud Platform over the next two years, said: “Everything is a candidate for moving to the cloud.”
This willingness signals a tectonic shift in attitude among executives.
Four years ago, most banks preferred to stick with antiquated systems designed in the 1980s rather than risk a repeat of TSB’s failed migration in 2018. Moving from disparate legacy IT systems to a single new platform left around 1 .9 million customers locked out of their accounts for up to a week, causing – by TSB’s own admission – “extensive service disruption and instability for customers”.
TSB lost 80,000 customers and posted losses of £330m, including provisions of £116m for consumer compensation. CEO Paul Pester resigned five months later.
Now, however, the move to the cloud in financial services seems almost inevitable. A recent survey by EY found that 27% of UK banks plan to move most of their operations to the cloud by the end of this year.
The two largest cloud service providers – AWS and Microsoft Azure – account for more than half of the $200 billion global market, according to Synergy Research Group. This concentration increases the risks.
“Imagine a customer has three different payment cards,” explained Clare Reynolds, attorney at Taylor Wessing. “If there’s an outage on one of those, they can usually just use one of the other bank cards to make that payment. This might not have been possible if these three banks were using the same cloud provider.”
In addition to the risk of reduced services, the move to the cloud raises new concerns about data theft. Researchers at the London School of Economics argued that the sheer size of cloud service providers – “whose failure would be catastrophic” – has made them attractive targets for hostile agents.
During the SolarWinds Azure breach in 2020, Microsoft admitted that adding “a few lines of benign code” to its operating system allowed hackers to “operate unfettered” on compromised networks.
In the “Cloud Hopper” attack, it was years before Hewlett Packard Enterprise discovered that its server had been hacked by two suspected Chinese spies between 2010 and 2017.
None of this is to say that the cloud is inherently less secure. In fact, it’s much more secure than legacy IT systems, Reynolds said. But the risks are there.
“The focus in most cloud designs is on limiting the blast radius, should an attack be launched on the system,” said Aarti Balakrishnan, senior director at Deloitte.
Amazon has created so-called “availability zones,” which are small groups of data centers that can be isolated from problems in other zones.
Banks’ move to the cloud deepens the power and reach of Amazon, Microsoft and Google. The Bank for International Settlements said technology companies “are likely to deepen their critical role in the financial system” as banks come to rely on “a small number of specialist providers”.
The company of two, three is a cloud
It takes decades of research to develop a competitive cloud, meaning the current duopoly of Amazon and Microsoft will become a trio at best, with Google a distant third for now.
Regulators are keen to handle the issues. Both the EU and the UK are trying to extend regulatory oversight to the cloud providers themselves, not just the banks responsible for encrypting and managing their own data. It is an acknowledgment of the systemic risk that the cloud now poses to financial stability.
“Reforms since the 2008 financial crisis have focused heavily on financial resilience,” Reynolds said. “This decade looks set to focus on operational and digital resilience.”
Amazon and Microsoft have been contacted for comment.