Following the IIF’s previous 3-part series on cloud computing, several regulators posed questions as to whether CSPs might be formally designated as “critical infrastructures,” and what such treatments might look like in practice.
This paper explores two possible models of such treatment, how those models might be operationalized, and some of the possible downstream consequences. The paper also explores some other potential solutions, and the new technological initiatives that are emerging in this space, in particular to address resiliency issues and ensure continuity.
Regulators and policymakers are encouraged to take a forward-looking view of emerging risks and regulatory requirements in respect of a technology that is increasingly important across the sector, but the timing of regulatory responses needs to be cognizant of the current early stage of maturity and evolution. Where this paper provides a conceptual assessment of some of the emerging solutions, the development of key metrics is necessary to build on this, and enable a more empirical assessment.
In order to pursue a data-driven and analytical approach, the IIF recommends beginning with the development of metrics for system-wide critical exposures and dependencies, and we propose to convene a workshop of financial institutions, CSPs, and regulators to identify such appropriate metrics. This will provide important inputs for assessing the various potential solutions, and to support the forward-looking view of risk, while avoiding any premature actions that could stifle innovation or market development.