Kyanite Blue
Threat Intelligence

Cloud Security and FCA Concentration Risk: What Financial Firms Must Do Under SS2/21

The FCA has identified cloud concentration risk — the systemic dependency of large numbers of financial firms on a handful of hyperscale cloud providers — as one of its most significant supervisory concerns. SS2/21, the FCA and PRA's outsourcing and third-party risk policy, applies fully to cloud arrangements: firms must conduct due diligence, document their cloud dependencies as material outsourced arrangements, maintain exit strategies, and demonstrate they can continue operating if their cloud provider suffers an outage. For firms that have migrated to cloud without updating their operational resilience framework, that gap is now a regulatory priority.

The FCA has identified cloud concentration risk as a systemic financial stability concern — with three providers (AWS, Azure, Google) hosting the majority of UK financial services infrastructure.

What SS2/21 Requires for Cloud Arrangements

FCA SS2/21 (and its PRA equivalent) applies to cloud services in the same way as any other material outsourcing:

  • Due diligence before adoption: Assess the cloud provider's security posture, resilience, subcontractor arrangements, and regulatory cooperation
  • Material arrangement registration: Cloud services that are material to the firm's operations must be listed in the outsourcing register
  • Contractual requirements: Contracts with cloud providers must include audit rights, SLAs, data return provisions, and termination/exit rights — many standard cloud agreements do not include these without negotiation
  • Concentration risk assessment: Firms that use the same cloud provider for multiple critical systems must assess and manage the concentration risk
  • Exit planning: Documented, tested plan to migrate critical workloads to an alternative provider within the firm's impact tolerance
  • Ongoing monitoring: Annual review of the cloud arrangement's performance and security posture

The Specific Security Controls FCA Expects in Cloud Environments

Beyond the governance framework, the FCA expects firms using cloud infrastructure to implement appropriate technical controls:

  • Identity and access management: Cloud-native IAM with MFA — not just on-premise credentials extended to cloud
  • Encryption: Data encrypted at rest and in transit in cloud environments; firm-held encryption keys for sensitive data
  • Network controls: VPCs, security groups, and private endpoints — not public cloud storage buckets accessible from the internet
  • Configuration management: Cloud infrastructure configured securely and monitored for drift — misconfigured storage is the most common cloud data breach cause
  • Log management: Cloud audit logs centralised, retained, and monitored — AWS CloudTrail, Azure Monitor, GCP Cloud Audit Logs
  • Vulnerability management: Cloud-hosted applications and services subject to the same patch management and vulnerability scanning as on-premise systems

Hadrian for Cloud Attack Surface Visibility

Financial firms that have migrated rapidly to cloud often have an incomplete picture of their external attack surface — which S3 buckets are public, which API gateways are exposed, which legacy applications were migrated without security review. Hadrian's attack surface management platform discovers your entire external cloud presence — across AWS, Azure, and Google Cloud — identifying exposed services, misconfigured storage, and vulnerable applications before attackers do. That visibility is also the foundation for your SS2/21 outsourcing register and your PS21/3 important business service mapping.

Building a Cloud Exit Plan That Satisfies the FCA

The FCA's exit planning requirement is often dismissed as theoretical — until it is not. A credible cloud exit plan must address: which workloads are hosted where; which are genuinely portable (containerised) and which are locked into proprietary services; the realistic timeline to migrate each workload; the cost and operational disruption of migration; and whether alternative hosting has been contracted or can be contracted at short notice. Exit plans that have not been partially tested (at minimum, a tabletop exercise) will not satisfy a supervisor who asks whether the plan is credible.

Frequently Asked Questions

Does SS2/21 apply to SaaS applications we use, not just infrastructure cloud?

Yes. SaaS applications that are material to the firm's operations — a CRM system holding all client relationships, a portfolio management system, a financial planning tool — are material outsourced arrangements under SS2/21 regardless of whether they are delivered via cloud infrastructure. The same due diligence, contractual, monitoring, and exit planning requirements apply.

Our cloud provider is AWS or Microsoft Azure — surely the FCA accepts them as reliable?

The FCA does not whitelist specific cloud providers. The concern is not the providers' reliability in isolation — it is the systemic risk of many firms simultaneously depending on the same provider and the impact of a major outage on financial stability. Firms using AWS or Azure must still comply with SS2/21 — including maintaining exit strategies and assessing concentration risk — regardless of the provider's reputation.

Discover your cloud attack surface and SS2/21 gaps

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Hadrian

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides