Cloud Revolution in Regulated Industries: Opportunities, Challenges and Risks

4. March 2024

As in all regulated industries, banks, insurance companies and capital management companies are undergoing a transformation through the increasing integration of cloud services. However, this not only brings opportunities, but also a number of challenges and risks for companies. For example, the banking, insurance and pension sectors face the duality of having to modernize their infrastructures in order to remain competitive. At the same time, however, they must ensure that they adequately manage their risks and comply with the strict security regulations and standards that apply to them. Established processes cannot usually be applied to cloud technologies and service providers, or can only be mapped inadequately.

In this article, you can read about the specific challenges that companies from regulated industries face when using cloud services and how they successfully overcome them.

Regulatory requirements

Like IT as a whole, the introduction of cloud services is subject to regulatory requirements such as BAIT (Supervisory Requirements for IT in Financial Institutions) and VAIT (Supervisory Requirements for IT in Insurance Undertakings) or other requirements issued by the German Federal Financial Supervisory Authority, which particularly emphasize the outsourcing process to service providers and the corresponding service provider management. When using cloud services, companies must ensure that they comply with these requirements and at the same time take full advantage of the benefits of the cloud.

Together with the Deutsche Bundesbank, the German Federal Financial Supervisory Authority has published its own guidance on outsourcing to cloud service providers. In particular, this guidance is intended to create awareness of the problems involved in dealing with cloud service providers among regulated companies.

The Digital Operational Resilience Act (DORA) establishes a new regulatory framework that sets out detailed rules for operational risk management. It integrates existing regulatory requirements and ordinances into a new set of rules. In contrast to BaFin's previous administrative regulations, DORA's requirements are more specific and anchored in law. A new aspect of DORA is the higher requirement for service providers to improve IT security and its documentation. They must provide additional information and, in extreme cases, may be monitored by the supervisory authorities. This also extends to suppliers of direct service providers. When introducing cloud technologies - especially software-as-a-service (SaaS) service providers, which are often themselves customers of a cloud service provider - this aspect presents regulated companies with the extensive task of establishing appropriate service provider control.

Implementing requirements in the cloud context

Cloud services offer a wide range of opportunities for regulated companies: The cloud enables flexible scalability, allowing companies to react quickly to changing requirements and drive innovation. The potential for cost savings through cloud services in the form of reduced investment in physical infrastructure and operating costs is no less relevant.

However, the challenges for regulated companies when using cloud services are just as complex. In addition to regulatory requirements, they also have to deal with technical challenges such as the integration of existing systems into the cloud, data migration and interoperability. They also have to deal with governance issues, vendor lock-in and service level agreements to ensure their business objectives and compliance requirements are met.

Cloud providers offer innovative approaches to meet specific requirements. However, it is essential that regulated entities keep data security and compliance risks in mind and adapt existing service provider controls, requirements catalogs and their outsourcing management to the specifics of cloud services. Inadequate adaptation could not only lead to data breaches, but also to reputational damage and financial losses.

To take full advantage of the opportunities associated with cloud services while minimizing the risks, regulated companies need to take a holistic approach to their cloud strategy. This includes a comprehensive risk assessment, the selection of trusted cloud providers, the implementation of strict security measures and the continuous monitoring and adaptation of the cloud infrastructure to changing threats and requirements.

Successfully moving to the cloud as a regulated company

Overall, the integration of cloud services also opens up new opportunities for innovation and increased efficiency in regulated industries. Even in these business areas, it is almost impossible to do without cloud solutions in the long term: reduced competitiveness and technological restrictions would be possible consequences.

Through a thorough risk assessment, careful planning and adjustments to their processes and service provider management, companies can leverage the benefits of the cloud while minimizing the risks associated with it to enable a secure and successful digital transformation.

KRITIS Audit von usd AG

Do you need support?

Our experts in cloud security and information security in finance are always happy to help. Get in touch.

Also interesting:

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

The Digital Operational Resilience Act (DORA) will apply as of January 17, 2025. In addition to routine operational resilience testing, DORA will also make it mandatory for certain financial companies to carry out threat-led penetration testing (TLPT) every three...

Security Advisory on Gambio

Security Advisory on Gambio

The pentest professionals at usd HeroLab examined the online shop software Gambio during their pentests. The software offers merchants various functions that support the management of inventory and orders. Our professionals discovered a vulnerability in the password...