Across the globe, cloud concentration risk is coming under greater scrutiny. The UK HM Treasury department recently issued a policy paper \u201cCritical Third Parties to the Finance Sector.\u201d The paper is a proposal to enable oversight of third parties providing critical services to the UK financial system. The proposal would grant authority to classify a third party as \u201ccritical\u201d to the financial stability and welfare of the UK financial system, and then provide governance in order to minimize the potential systemic risk. The financial regulators (HM Treasury in coordination with the Bank of England, Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA)) will \u201cbe able to make rules, gather information, and take enforcement action, in respect of certain services that critical third parties provide to firms of particular relevance to the regulators\u2019 objectives (which the regulators refer to as \u2018material\u2019 services).\u201d The paper references the cloud concentration risk concerns raised by the Bank of England in previous research. At that time, over 65% of UK firms used the same four cloud providers for cloud infrastructure services. \n\nThe US regulators have been examining the third-party risk topic in various forms including request for comments last year. Recently they have increased hiring activity to bring on staff to examine the cloud software providers. Cloud concentration risk, system market risk\u2014it goes by various names\u2014is not a new topic. Back in 2019, a letter to the US Financial Stability Oversight Council requested the major cloud service providers be designated as systemically important financial market utilities. \n\nAnd then there\u2019s the Digital Operational Resilience Act (DORA) in the EU. DORA received provisional agreement in mid-May with the same overarching goal of helping to provide financial stability in the financial sector throughout the EU. \n\nAre you ready for cloud concentration regulation?\n\nSo with this latest scrutiny and round of papers issued by governments, we are about to see a material shift in the regulation of critical third-party providers and specifically the cloud service providers. Rather than wait for a compliance mandate, it is critical for insurers and financial services providers of all kinds to consider\u2014and prepare now\u2014for the implications.\n\nInsurers and financial services firms are very practiced in the requirements related to redundancy and disaster recovery. The regulations surrounding an individual provider and the ability to recover from a failure is largely mandated. Complementary to this, firms are highly motivated to ensure resiliency in order to provide the best service possible, maintain smooth operations, and retain customers. Nobody wants to read about their firm\u2019s outages in the news cycle\u2014it\u2019s just never a good thing! And of course, when a firm relies on a third-party provider for services, software, or a hosted environment, a set of due diligence goes along with ensuring the resiliency of that solution. We all know the drill. \n\nSystemic risk introduces a whole other layer of risk. It is not new either\u2014the ripple effects of the markets are also well understood. Yet the regulation has still been focused on an individual firm\u2019s approach. If the individual entities are strong, the markets will be more resilient. That is starting to change with the recognition that there is a critical dependency on third-party cloud service providers that are not regulated in the same manner. So what are we doing about it? What are we doing to get ready for new compliance measures when the regulators tell us we have too many eggs in one basket?\n\nMarket collaboration is required\n\nThe cloud service providers have become an integral part of the financial services landscape. It is now the responsibility of the entire ecosystem to manage the systemic risk that comes along with embracing cloud adoption. As a data platform company, we advise a hybrid data platform approach to balance the benefits of cloud adoption while addressing regulatory concerns related to cloud concentration risk (CCR). \n\nInsurers and financial institutions can manage their strict data privacy, governance, and resiliency, while gaining flexibility and portability of data and applications to run their business efficiently. Cloudera\u2019s hybrid data platform facilitates the portability of data across any cloud to help ease regulatory concerns about concentration risk, and our Shared Data Experience (SDX) manages security and governance consistently across private and public clouds.\n\nCloud adoption is accelerating and providers are strengthening their infrastructures aligned with the increasingly important role they play\u2014penetration testing, cyber security prevention, etc. Yet they are not fully under the scrutiny of the regulators at this time. This day appears to be getting closer across the globe. (And if they are in fact regulated in any specific jurisdiction, please leave me a comment.)\n\nHybrid cloud is a dominant deployment choice in the market\u201485% of enterprises report taking a hybrid cloud approach, combining the use of both public and private clouds. (Flexera, State of the Cloud Report, 2021.) It offers flexibility, choice and control. A hybrid data platform enables this flexibility and is recommended in anticipation of regulatory oversight. \n\nDownload our ebook to read more about cloud concentration risk.