OpRisk Awards 2016
The transfer of a growing proportion of business IT activity to the cloud is inevitable, many experts believe. Technology, economics, new business models and increasingly accepting millennial users are encouraging companies to outsource a growing proportion of their IT infrastructure and software to cloud-based service providers.
"As technology reaches the end of its life, we're increasingly seeing companies ask whether they want to invest in the technology and the people to run it, or instead to consume it as a service from the cloud," says Henry Duncombe, managing director of Lanware, a London-based outsourcing technology provider that focuses on the financial services sector.
Lanware, whose clients include asset managers, insurers, payment providers and financial technology firms, offers a full suite of outsourcing services. These range from infrastructure-as-a-service, disaster recovery, unified communications and back-up to full-service, cloud-based IT provision, which is delivered via a ‘virtual desktop'.
A particular challenge for financial services is the need to manage risk around outsourcing to the cloud and meeting compliance requirements... ideally, cloud providers need to do more to tailor their services to the financial world
Henry Duncombe, Lanware
"At the macro level, the growth of cloud-based services is inevitable. Whether people like it or not, this is becoming the new delivery model, as is evident from the huge growth in shadow IT systems, where users are bypassing their IT departments and sourcing technology directly from the cloud," Duncombe says.
"However, a particular challenge for financial services is the need to manage risk around outsourcing to the cloud and meeting compliance requirements... ideally, cloud providers need to do more to tailor their services to the financial world."
Financial regulators are now providing guidance to regulated firms about outsourcing IT systems to the cloud and, while they are generally supportive of the practice, they expect them to retain "oversight and contingency around the outsource partner", he says. "Financial services firms need to do this because they can't absolve themselves of the accountability for managing the operational risk."
This places a high importance on the ability of the outsourcing providers to accurately report back to the client on how they are meeting various regulatory requirements. This can be particularly challenging with larger cloud service providers where, unless you are a significant client, it can be difficult to exert any meaningful control, says Duncombe.
"For outsourcing critical systems to the cloud, key contractual provisions such as audit rights and an agreement to comply with the regulator if they need to carry out a review are often not easy to obtain," he says.
Secure and resilient
Lanware's cloud offers a secure ‘administration access zone' for the administration of client systems, with all work by Lanware engineers conducted via secure servers, and sessions continuously recorded using a virtual closed-circuit TV system. Not only does that reduce the risk of unauthorised changes to client systems, but it also provides an audit trail should any regulatory issues emerge.
It's not only regulators that are keeping a close eye on firms' IT resilience: clients want to have comfort that their financial services providers have secure systems in place. "For many of our clients, we are their chief technology officer. So when they get the due diligence questionnaires through the door from their clients, we're in those meetings to help them respond," Duncombe says.
"It plays to our strengths; it's about moving beyond providing a service to becoming a partnership," he adds.
The week on Risk.net, July 14–20, 2017Receive this by email