Security · IT Support
Why Your Firm's Cloud Foundation Matters More Than You Think
6 July 2026

Most firms don't think much about their infrastructure until it fails. It sits quietly underneath email, file storage, portfolio systems and everything else, and it's easy to assume that because a cloud platform is well-known, everything running on it is automatically secure and well-configured. That assumption is where most infrastructure risk actually lives.
Cloud platforms are secure by design. What firms build on top of them is a different question entirely, and one that's rarely asked until something goes wrong.
This article relates to the Infrastructure & Cloud domain of the Technology Resilience Score. It looks at whether your firm's foundations are actually as solid as they appear.
Why infrastructure is different for financial services firms
Financial services firms often move to cloud platforms quickly, driven by convenience and remote working needs, without always applying the same rigour to configuration and access control that the sensitivity of their data demands.
- Client money and deal data frequently sit in cloud platforms configured by non-specialists
- Access permissions accumulate over time and are rarely reviewed or tidied up
- Hybrid environments, mixing cloud and on-premises systems, create gaps between the two
- Rapid growth often outpaces the infrastructure decisions made when the firm was smaller
A platform's reputation for security doesn't transfer automatically to how it's been set up.
FCA resilience expectations and where your systems actually live
Operational resilience rules require firms to understand exactly how their important business services are delivered — including the infrastructure underneath them. A firm that doesn't know precisely where its data is hosted, how access is controlled, or how failover works between environments cannot credibly demonstrate resilience to a regulator, no matter how good its policies read.
Infrastructure decisions made years ago, by whoever was available at the time, often don't match the firm's current size or risk profile. The key question becomes: "Do we actually know how our systems are configured today, or are we relying on how they were set up when the firm was much smaller?"
Is your firm's technology environment resilient?
Find out whether your cloud and infrastructure foundations are built for the firm you are today.
Get your Technology Resilience ScoreThe problem with assuming the cloud is looking after you
Cloud providers secure their own infrastructure. They don't secure how a client configures access, permissions or data sharing on top of it, and that distinction gets lost in a lot of firms.
- Default configurations left unchanged since initial setup
- Access permissions granted broadly for convenience and never revisited
- No clear record of what infrastructure exists or how it's connected
- Legacy on-premises systems left running alongside newer cloud platforms with no integration plan
An unmanaged foundation makes every layer built on top of it less trustworthy.
What weak infrastructure and cloud management looks like in a financial services firm
These issues turn up repeatedly when firms look closely at their environment for the first time.
- No documented inventory of cloud services and infrastructure in use
- Administrator access granted to more people than actually need it
- No regular review of configuration against current security standards
- Data spread across multiple cloud platforms with inconsistent controls
- No clear ownership of infrastructure decisions as the firm has grown
- Ageing on-premises hardware still supporting critical functions
Each gap increases the odds that an incident starts somewhere nobody was watching.
What strong looks like
A firm with a strong infrastructure foundation has a clear, current picture of where its systems and data live, whether cloud, on-premises or hybrid. Access is granted deliberately and reviewed regularly, configurations are checked against recognised standards, and there's a clear owner responsible for keeping the environment aligned with the firm's actual risk profile.
Growth doesn't outpace infrastructure in a well-run firm, because infrastructure decisions are revisited as the firm changes, not left as they were on day one.
How this TRS domain helps financial services firms improve
The Infrastructure & Cloud domain of the Technology Resilience Score looks at where systems and data are hosted, how they are secured, and how well they are managed across cloud and on-premises environments.
- Builds a clear inventory of infrastructure and cloud services in use
- Assesses access control and configuration against current standards
- Reviews how cloud and on-premises environments are managed together
- Identifies legacy systems that now carry disproportionate risk
The result is a score out of 5, giving your firm a clear baseline and a structured improvement path for the foundation everything else depends on.
Building on solid ground
Every other part of a firm's technology environment, from security controls to business continuity, depends on the infrastructure underneath it being sound. Getting the foundation right makes every subsequent improvement more effective.
The Technology Resilience Score gives ambitious financial services firms a benchmark across 10 domains, including Infrastructure & Cloud, so the foundation gets the same scrutiny as everything built on top of it.