Australian customers of Amazon's cloud based platform, Amazon Web Services, recently experienced major outages and disruption to their services due to storms that affected Amazon's Sydney data centres.
The recent storms in Australia are a timely reminder that customers of cloud providers need to ensure that appropriate and robust business continuity plans are put at the forefront of any customer's decision to purchase cloud services. As cloud providers take on larger outsourcing projects from customers, including from the financial services sector, it is prudent to ensure that customers protect themselves in the event of a fall-over or failure of the cloud provider's data centres.
It is often the case that business continuity planning is not given the attention and significance it requires. There are many examples where the parties allow such business continuity plans to be agreed after the agreement has been signed, only to find towards the end of the term that such plans were never implemented.
There are particular difficulties agreeing business continuity plans with cloud providers due to their "multi-tenant" and "one-to-many" business model. As the cloud service is unlikely to be bespoke for the customer, the provider's business continuity plan will be generic and apply to all customers in the same way. Customers are therefore faced with the challenge of having to get comfortable with the cloud provider's standard plans. For many regulated entities, particularly in the financial services sector, such an approach is unlikely to meet the standards required by the regulators.
Regulators, including the UK's Financial Conduct Authority (FCA), are looking to embrace new innovative technologies in financial services but are aware of issues faced with such new technologies, as evidenced by their proposed guidance for firms outsourcing to the cloud and other third party services (FCA's Proposed Guidance).
As a reminder, the FCA's Proposed Guidance, encourages regulated firms to consider 13 "areas of interest" as part of their decision to outsource to the cloud, including data protection and security, business continuity, risk management and ensuring that regulators have effective access to data. With regards to continuity and business planning, the FCA states that "Firms should have in place appropriate arrangements to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption". What is of particular importance is that the FCA notes the significance of regular testing for adequacy and effectiveness of the business continuity plans and to update them as required. This highlights the need to not simply agree a plan but to ensure it will work in practice.
Incidents such as Amazon's, shows how important it is for customers to have transparency into a cloud provider's business continuity plans and to ensure that the plans comply with regulatory standards and the risk profile for the relevant service. With the increasing reliance of financial service providers on cloud solutions for critical services (for example, HR and payroll platforms), the importance of having in place a satisfactory back-up plan is crucial to ensuring continuity of service for its customers and regulatory compliance.
Unlike the Senior Management Arrangements Systems and Controls (SYSC) rules, the FCA's Proposed Guidance is not binding. However, FCA regulated firms should try to adhere to the suggestions were possible and the guidance, together with the recent examples of data centre outages, may give them further leverage to negotiate more robust business continuity plans with cloud providers.
For more information on the FCA Proposed Guidance, please see our earlier article.