.svg)
Bigtechs are set to have new regulatory overlords in the UK, with the government enabling authorities to test the resilience of cloud service providers.
A new "critical third-party regime" is set to give the UK’s financial watchdogs the oversight of a firm’s arrangements with cloud providers.
Statistics released by HM Treasury (HMT) suggest that more than 65 percent of UK firms used the same four cloud providers in 2020, prompting concerns of widespread disruption if one of the cloud providers was hacked.
The proposed regime, HMT says, will “fill a gap” in its current supervisory powers by allowing it to directly oversee services that critical third parties provide to firms.
This will enable the regulators to ensure that services provided by cloud providers to firms in the finance sector are resilient, thereby reducing the risk of systemic disruption.
Under the proposed regime, HMT will, in consultation with the financial regulators and other bodies, be able to designate certain third parties to firms as "critical".
The financial regulators may also proactively recommend the designation of certain third parties as critical to HMT, based on analysis of data and information from firms.
The ministry, currently headed by Rishi Sunak, will also need to have regard for representations made by potential critical third parties. Firms that are clients of these third parties will also be able to make this kind of representation.
The designation of third parties will be made via secondary legislation, taking into account high-level criteria such as the number and type of services a third party provides to firms, as well as the materiality of these services. This designation framework will meanwhile be set out in primary legislation.
Once a third party has been designated as critical, the financial regulators will be able to exercise a range of powers in respect of any material services that the third party provides to the finance sector.
New rule setting powers
In particular, the financial regulators will be able to make rules relating to the provision of these material services, gather relevant information from critical third parties and take formal action such as enforcement, when deemed necessary.
The financial regulators will also be obliged to coordinate with each other when exercising these powers.
In addition, a rule-making power will allow the financial regulators to set minimum resilience standards that critical third parties will be directly required to meet in respect of any material services that they provide to the UK finance sector.
This, HMT says, will allow the financial regulators to require critical third parties to take part in a range of targeted forms of resilience testing, to assess whether these standards are being complied with.
These will include powers for the financial regulators to:
- Request information directly from critical third parties on the resilience of their material services to firms, or their compliance with applicable requirements.
- Commission an independent "skilled person" to report on certain aspects of a critical third party’s services.
- Appoint an investigator to look into potential breaches of requirements under the legislation.
- Interview a representative of a critical third party and require the production of documents.
- Enter a critical third party’s premises under warrant as part of an investigation.
No clouds of suspicion
In its policy statement, HMT confirmed that it has been working alongside third-party providers when developing the legislation and said they have reacted positively.
The largest cloud service providers in the UK are Amazon Web Services, Microsoft Azure and Google. Firms such as Digital Ocean and UpCloud have also risen to prominence in recent years.
These providers have not been immune to hacking instances. For example, Microsoft services used by the US government, as well as many of the world’s large companies, were allegedly targeted by Russian hackers in 2020.
Amazon, meanwhile, got caught up in the CapitalOne hacking that led to the disclosure of tens of millions of US customer records, including credit card applications, social security numbers and bank account information.
Through this new legislation, the UK is joining other jurisdictions in shoring up its digital resilience legislation.
In the EU, there is the relatively similar Digital Operational Resilience Act (DORA), which was proposed as part of the Digital Finance Strategy in September 2020.
DORA, which the EU reached a political agreement on in May this year, strengthens the trading bloc’s IT security of financial entities such as banks, payment service providers and insurance companies.
DORA, in comparison to the UK’s regime, places more onus on the clients of third-party cloud service providers in addition to the providers themselves.
