According to the Federal Statistical Office of Germany, 71% of large companies made use of cloud services as part of their IT architecture in 2021. Such technology can provide users with convenient and on-demand access to, for example, networks, servers, storage space, applications and services from any location. Cloud services can be set up and used quickly and with little effort.

The trend shows no signs of abating and cloud services are also increasingly being used within the financial sector. They are therefore receiving greater attention from BaFin. Dr Sibel Kocatepe is an expert in the area of IT supervision at BaFin and has been working in this area for years. Here, she explains the opportunities and risks that arise from cloud services as well as BaFin’s focus areas.

Dr Kocatepe, cloud services have now become an integral part of IT architecture within the financial sector. Why is that?
Cloud services are creating clear opportunities for the financial sector – such as current innovations that cater for a broad client base. In most cases, cloud capacities can also be flexibly adjusted as needed. This is enabling the financial sector to rapidly develop its own innovative products and services and bring them to market. Furthermore, cloud services can be used to replace high-maintenance and outdated IT infrastructure.

Are cloud services secure?
Services from cloud providers indeed often provide a high level of cyber security. Providers frequently even assist customers in making their in-house applications secure. It is up to the customers, however, to make use of these opportunities. Sometimes this causes problems. Particularly when companies outsource more and more of their processes to cloud service providers. In such cases, companies risk becoming dependent on the service providers concerned. What would happen, for example, in the event of a system failure at such a cloud service provider? Simply using another service provider as an ad hoc replacement would not be an option. And it is no straightforward matter for the companies that outsource processes to replace these systems themselves. Even a planned changeover from one service provider to another requires significant preparation and time – and you can imagine the situation a financial enterprise would face if a provider were suddenly no longer able to deliver its services. That would definitely pose a major problem.

What does that mean for the financial market as a whole?
When we look at how cloud services are being used across the financial sector as a whole, the scale of this risk quickly becomes apparent: a small number of cloud service providers are offering their services to a large number of companies throughout the financial market. We refer to these as multi-client service providers. A system failure at a multi-client provider of cloud services would result in numerous financial enterprises being left without access to these services simultaneously. Depending on the type of services, this could pose risk to more than just the affected companies – it could jeopardise the stability of the entire financial market.

How is BaFin addressing these risks?
As I have said, we are aware of the opportunities that cloud services create for the financial sector and accept that a world without such technology is now unimaginable. This is why we help financial enterprises to use them in a way that is both practical and in line with supervisory requirements. We maintain regular contact with cloud service providers as well as the industry in this regard. Furthermore, we are currently working together with the German Bundesbank to update BaFin’s Guidance on outsourcing to cloud service providers. One particularly important topic for us at the moment is the monitoring of third-party service providers, including in the area of cloud services, and we are currently attempting to gain an overview of existing outsourcing relationships. The objective here is to detect concentration risks.

Outsourcing map

© BaFin

How are you obtaining this overview?
Since the end of last year, a uniform outsourcing notification requirement has applied throughout the sector. This means that supervised companies have to notify us about any new outsourcing arrangements. They also have to inform us about any changes or serious incidents that take place in connection with any outsourcing arrangements. Furthermore, we have requested around 250 selected companies to report all of their outsourcing arrangements to us. As part of these requests, we have specifically been asking for details regarding cloud services. All of this information ends up in our outsourcing database.

And what insights has BaFin gained here?
We can systematically determine which cloud service providers are active on the financial market, which and how many supervised companies are using such service providers, which providers are being used for which cloud services, which sub-providers are being used and who is dependent on whom. Transparency is extremely important as it enables us to respond to any deficiencies among outsourcing providers or cloud service providers in a consistent, appropriate and risk-oriented manner. This ultimately increases the resilience of the financial sector.

It nevertheless places a significant workload on companies...
But they also benefit from the collection of data. After a relatively brief period, we are already reaping the rewards of these efforts. For example, as part of its outsourcing notification to us, one insurance company recently reported a serious security incident at its IT service provider. The question that of course immediately arose for us was: what other financial companies had been affected by the incident and might still be unaware of it?

What exactly does BaFin do in such cases?
We used our outsourcing database to determine which other financial enterprises were using the same IT service provider. Our initial analysis revealed that banks were also among its customers. The ability to gain such insights from across various sectors so quickly is a new and very valuable development for us. Without the reforms to the notification requirement, this would not have been possible.

So you can warn other financial enterprises if they are the customers of a troubled IT service provider?
Precisely. We contacted the customers of the service provider that were known to us and informed them of the problems. They were, of course, grateful. Nevertheless, we are also eager to know why the financial enterprises affected did not notify BaFin about the incident. We are continuing to look into the matter – especially with a view to optimising this relatively new process. This will be beneficial for everyone involved. Incident reporting is a great example of the advantages of the uniform electronic outsourcing notification requirement. We know that companies will have to invest considerable resources into this transition. Nonetheless, we are certain that these efforts will prove worthwhile for the financial enterprises concerned. Our motto here is “the more outsourcing you report to BaFin, the more effectively we can respond”.

What is the legal framework for BaFin’s supervisory activities in the area of cloud services?
As a rule, the national requirements regarding outsourcing apply to the use of cloud services. These were revised as part of the German Act to Strengthen Financial Market Integrity (Gesetz zur Stärkung der Finanzmarktintegrität – FISG). We are now able to issue orders in all areas of supervision directly to outsourcing providers, including cloud service companies. We can also impose administrative fines if outsourcing providers do not comply with our orders. Previously, we were always compelled to take the indirect route via financial enterprises. This is no longer the case.

Dr. Sibel Kocatepe

© Fotostudio Sachsse

What is the role of the Digital Operational Resilience Act (DORA), which came into force in January 2023, in the supervision of cloud services?
From 2025 onwards, DORA will apply throughout Europe. This act will complement the existing national legal framework. DORA focuses on cloud service providers. It nevertheless still has to be determined which cloud service providers will be subject to European monitoring. This will depend on the results of a complex classification process by the European Supervisory Authorities (ESAs). We will know more in 2025 at the earliest.

How precisely does the DORA monitoring framework function?
The European monitoring framework is very similar to our national approach. At the European level, too, there will be registry and notification requirements for financial companies. This will also provide transparency as to which companies are using which ICT service providers. Furthermore, there are the Joint Examination Teams (JETs). These consist of members from the ESAs and the national supervisory authorities, such as BaFin, and monitor third-party ICT service providers. If a JET identifies deficiencies, it issues recommendations for the service provider to make improvements. For example, improvements might be needed in the areas of ICT security, risk management processes or governance requirements.

Will DORA make the financial sector more secure?
I am quite certain that DORA will make the financial sector more resilient against IT risks and cyber attacks. Overall, the monitoring framework is a new development – especially when it comes to cloud and other IT service providers that perform cross-border operations for the entire European market. With DORA, the European legislator has introduced legislation exactly where it is needed. DORA will also significantly strengthen the position of BaFin vis-à-vis foreign service providers that hold a monopoly position. In the near term, the monitoring of critical cloud service providers will definitely be an area of focus for BaFin’s IT supervision.

What advice would you give to supervised companies on preparing for DORA?
In recent months, most companies have already started preparing for the implementation of DORA. As part of these efforts, they should focus on more than just its individual articles. It might sound mundane, but the best way to start preparing is by reading through the text of the Regulation, including the recitals at the start. The recitals provide background information on the Regulation and thus offer insight into the intention of the legislator. Understanding this background will make it easier to implement the provisions of the individual articles. For example, the term “cloud” doesn’t appear even once in the main text of the Regulation. The recitals nevertheless make it clear that cloud services are one of the Regulation’s key areas of focus. It should also be noted that many of the provisions are specified in greater detail in delegated acts. The ESAs are publishing these acts for consultation. Financial enterprises are able to participate in these consultation processes and should use the opportunity to do so.

Do you think that DORA and financial regulation in general are ultimately slowing down digitalisation?
On the contrary! The pressure from Berlin and Brussels is being felt particularly strongly in the area of IT outsourcing. This is ultimately driving forward digitalisation within the financial sector because everyone is now compelled to address the topic of secure and resilient IT solutions. Moreover, IT service providers throughout Europe have to adhere to the same conditions. This is important because it prevents national regulatory conditions resulting in disadvantages for certain locations. If cloud service providers are covered by the European monitoring framework or adhere to it voluntarily – which is also a possibility – this fosters trust in cloud services and in outsourcing as a whole. Regulation should therefore be viewed as an opportunity, especially by cloud service providers.