Firms are turning to the cloud in increasing numbers, but not all of them are aware of the risks involved. Nicholas Pratt investigates.

Financial services of all types have grown more comfortable with the cloud. Furthermore, they are prepared to move more of their operational assets to the public cloud. In 2019, Deutsche Bank announced plans to move the majority of its applications from “expensive and inflexible physical servers” to the cloud. And in July, HSBC signed an agreement with Google Cloud to expand its use of cloud technology and adopt a ‘cloud first strategy’.

Meanwhile, a survey from US-based Tabb Group found that 7% of buy-side firms plan to adopt 100% cloud adoption in the next 12 months. While this may not be a massive number, it is 7% more than in the same surveys run in the previous two years.

Increasingly asset managers are no longer looking at the cloud as just a cheaper option for their IT infrastructure but as a way to manage their administrative burden and their application development. For example, IHS Markit found that 80% of asset managers in Europe and North America plan to use the cloud for their data management by the end of 2020.

The IHS Markit survey also found a growing awareness of managed service providers (MSPs): specialist IT services firms that help firms manage their migration to the cloud. The potential growth of the MSP market was spotted by global private equity giant Blackstone in 2018 when it acquired Cloudreach, which it describes as one of its ‘tactical opportunities portfolio companies’.

One of the main reasons for the popularity of the MSP market is that the cost, work and risk involved in migrating to a cloud-based platform can sometimes be overlooked by firms that have decided to manage the migration on their own. In the eyes of some MSPs, this move is akin to deciding to do your own loft innovation or represent yourself in court.

“Trying to maintain an efficient operation during that migration creates a huge operational risk,” says Jed Gardner, senior vice president, Linedata Technology Services. “You are taking that traditional IT structure and moving it to an outside environment, but in most cases you are not moving everything, so you now have two different operational locations. Using multiple cloud providers poses even more of a challenge, especially in terms of security and regulatory issues.”

For example, national laws around data portability are inconsistent. While a number of countries have clamped down on allowing data to leave its borders, others have become more relaxed. For example, Switzerland has rolled back decades of banking secrecy laws to enable clients’ data to be stored abroad in the cloud.

Focused on security
Regulators are also becoming more involved in the oversight of security at cloud providers. Luxembourg issued rules for fund managers using the cloud, while the European Central Bank has also issued warnings to banks employing cloud providers regarding the monitoring of security protocols. Employing an MSP is consequently a necessary step for firms operating in the cloud across several jurisdictions with different rules.

An MSP can also help manage some of the cultural challenges involved. The fear of change can make any cloud migration a challenging journey. Old habits and the status quo will be broken as the way that teams craft software or use automation will change.

Closely aligned to the cultural challenge is the skills deficit. New technologies mean new ways of working and cloud migrations can often expose a skills gap, which may require retraining of existing staff or even the recruitment of new talent. Neither is easy. The former involves overcoming some of the aforementioned cultural issues while the latter is no longer as straightforward as it once was, with big tech proving more of an allure than financial services to the next generation of technologists.

Firms can also fail to consider the full financial cost of such moves, including data, application and API integration, says Gardner. This is especially true for the smaller fund managers that do not have large technology teams and are keen to benefit from the operational advantages of using the cloud. “They may have lots of applications involved in a migration. Losing access to any of those would have a huge impact on their daily business.”

In the past, the easiest option was to pretend such obstacles weren’t an issue, but Gardner says that’s changed as awareness around cyber risk and vendor due diligence increases. However, there is still a lot of ground to make up. “Asset management has been heavily underprepared,” he adds. “Firms need to think differently about who they engage with. They should choose partners that understand asset management operations, and not just cloud technology.”

If done correctly, public cloud migrations offer plenty of benefits, but the motivation behind the migration is also important, says Gardner. “If you’re looking at how you can generate operational alpha through the cloud and other new technology, like containerisation and APIs, that’s all great. But if your primary aim is to save some money, that is not the right reason to be migrating.”

Important benefits
Firms also have to consider exactly what processes or functions are best suited to the cloud. For example, some of the benefits include a more agile environment for application development or automated testing of those apps – benefits that will be increasingly important as firms look to be more innovative.

Eze Castle Integration provides managed IT services for both the public and private cloud, including outsourced IT services support for migrations, teams of engineers and cyber-security support.

“We spent many years migrating fund managers on to our private cloud, but we are now seeing an increasing number of larger firms using the public cloud,” says chief technology officer Steve Schoener.

“Greater comfort comes with time and more firms found they were being asked why they were not in the cloud. It can enhance operations, especially disaster recovery and resilience. The idea of data sitting in the office is dying. And firms are being asked how they securely store investors’ data.”

Nevertheless, to gain the benefit of enhanced security, the migrations have to be done correctly, says Schoener. “People want to do things themselves, but this can create security risks. Typically it is not AWS or Azure that get hacked. Instead, the connection with the cloud provider can be badly set up in the migration. We have seen it ourselves several times and have developed implementation standards as a result. A lot of firms try it themselves, mess it up and then come to us.”

It is a familiar theme for MSPs that their clients often fail to put in place someone with the adequate qualifications to manage the operational risk involved with cloud migrations. “We are typically dealing with COOs and CTOs and compliance teams rather than risk staff,” says Linedata’s Gardner of his engagements with fund managers.

“It varies hugely and depends on how big the organisation is. In a lot of mid-sized organisations, the COO is also covering a lot of operational risk issues. Although they may understand operations, they may not necessarily understand operational risk. As you get to the larger firms, they will hire dedicated operation al risk managers.”

An additional problem is the opposition to letting third parties manage something like operational risk, preferring to keep it in-house. While this may be fine for a big firm with adequate risk resources, it is less helpful for smaller fund managers, says Gardner.

“Some managers are not managing operational risk adequately but are worried that outside firms wouldn’t understand their specific requirements well enough to help them. By the time they do realise they need outside help, the damage may already be done. If the industry could accept the value of outside firms in managing operational risk, it would be better.

“Many firms realise they have a problem but don’t know what to do with it, so they make it worse. On operational risk, it really doesn’t need to be like that. Know what your risks are and accept that you can fix your risks in various ways, including the use of third parties,” says Gardner.

© 2020 funds europe