Adobe Stock
Banking’s relationship with
But in the rush to modernize, many banks are overlooking a growing risk: cloud concentration. The vast majority of cloud services
That’s a problem. It means that critical operations — from payments to lending to customer interactions — are now deeply tied to third-party platforms that banks don’t own, don’t fully control and can’t easily switch away from due to various reasons such as a vendor lock-in. In trying to solve the risks of outdated internal systems and the constant need for services, upgrades and maintenance, banks have largely traded them for a new kind of dependency that may be even more challenging to manage.
We’ve already seen how a cloud outage can ripple through the financial system. In December 2021, an AWS disruption impacted banking services nationwide. In 2023, Microsoft’s cloud failure affected institutions around the world. And in July 2024, the
While major cloud service providers offer better security than any single bank could achieve, the key risk here isn’t about IT or cybersecurity controls — it’s about concentration. When critical financial infrastructure is consolidated among just a few service providers, any disruption can cascade through the entire sector and the financial ecosystem.
Regulators have taken notice. In Europe, the emergence of these risks led to sweeping measures like the Digital Operational Resilience Act, or DORA, and the U.K.’s PRA/FCA supervisory oversight, including PRA SS 2/21 on Outsourcing and Third-Party Risk Management. In the U.S., regulators are taking more targeted steps. The U.S. Treasury
To stay ahead of evolving regulations, and to protect their data, customers and business, banks need to integrate cloud governance with their enterprise risk strategy, which is a fundamentally different and a much-needed approach to cloud governance. This should include thoughtful diversification across multiple providers, regularly tested exit strategies and deep engagement with cloud partners on a shared responsibility model.
First, banks should consider diversifying across multiple cloud service providers. What percentage of critical operations run on a single platform? What would happen if access were lost for 24 hours? For a week? Managing multiple cloud service providers could get complex, but it allows institutions to be more resilient and to operate within a diversified environment in a way that is based on their operational needs. This allows them to achieve objectives and key results.
Second, banks must develop exit strategies that are regularly tested. Most institutions dramatically overestimate their ability to migrate workloads rapidly between providers during a crisis. When was the last time your bank actually tested its ability to shift critical systems away from your primary cloud service provider?
Finally, transparent risk reporting is essential. Banks should quantify and disclose their cloud dependencies to boards, regulators and shareholders.
The time for passive acceptance of this growing interdependence has passed. Bank leaders must act now to ensure that the technological transformation reshaping the industry doesn’t inadvertently create the next systemic crisis.
