Data & Analytics Insights

From regulation to resilience: How financial firms are evolving their cloud strategies

A new survey from LSEG shows that most financial services firms from around the globe have made changes or updates to their cloud strategies partially in response to data privacy, security and sovereignty regulations. While the approaches to compliance vary across regions, depending on the respective local regulatory framework, one theme stands out: operational resilience is a shared priority for both firms and regulators.

  • Cloud strategies are shifting: Financial services firms from around the globe have made changes or updates to their cloud strategies partially in response to data privacy, security and sovereignty regulations, according to a new LSEG survey.
  • Compliance approaches differ by region: The approaches that firms take to meeting their cloud compliance obligations vary as jurisdictions are at different stages of creating their cloud rulebooks.
  • However, firms and regulators alike seem to understand the importance of operational resilience as a way to reduce outages and enhance their strategies.

In a recent LSEG survey, 84% of respondents say they have changed or updated their cloud strategies in response to data privacy, security and sovereignty regulations, with more than a quarter (28%) making extensive changes. Amid these shifts, operational resilience has emerged as a shared priority for both firms and regulators, reflecting a common goal to strengthen cloud stability and reduce disruption.

The survey is based on research commissioned by LSEG that was conducted online by Phase 5, an independent marketing research and consulting company, from November 2024 through March 2025. A total of 453 financial services executives around the globe completed the survey. Nearly two-thirds (63%) of survey respondents are primary decision-makers for financial market data and IT solutions in their organisation. The survey covered 12 countries.

Operational resilience: a shared priority

Operational resilience in the cloud is one shared priority area for financial firms and regulators. Globally 30% of respondents say their organisation experienced an operational disruption due to cloud services in the past 12 months. As a result, resilience and security are becoming central to how firms evaluate the value of their cloud strategies, cited by 47% of respondents as a key performance indicator.

The EMEA region places the most importance on operational resilience when selecting a cloud provider, with 95% of respondents rating this either very important (61%) or critical (34%). Some 29% of EMEA respondents reported an operational disruption due to cloud services over the past 12 months, slightly below the global average.

The picture in APAC is more complex. The region has the highest rate of operational disruption – 38%, and APAC firms are focused on operational resilience – 51% of respondents say that it is an indicator used to assess return on investment (ROI) of cloud strategies at their firm, which is the highest of the three regions. However, there is a disconnect when it comes to supporting that goal, as only 21% of respondents say that operational resilience is critical when selecting a cloud provider, the lowest of the three regions.

APAC regulators are starting to encourage a greater focus on operational resilience. For example, in November 2024, some APAC regulators  - including the Australian Prudential Regulation Authority, Hong Kong Monetary Authority, Otoritas Jasa Keuangan (Indonesia), Bank of Japan, Bank Negara Malaysia, Bangko Sentral ng Pilipinas, Bank of Thailand, and the Monetary Authority of Singapore (MAS) - and global cloud service providers conducted a crisis management tabletop exercise, which was the first of its kind in the region.

Adapting to a dynamic regulatory landscape

One third (33%) of financial firms say that regulatory changes are impacting their cloud strategies, including migration, artificial intelligence, analytics, and more. According to the survey, top indicators used to assess ROI on their cloud strategies include flexible capacity (51%), revenue growth (47%) and greater security/resilience (47%).

The survey also highlights how firms are evolving their cloud strategies to meet compliance expectations. Of those respondents who say their cloud strategy is impacted by data privacy, security and sovereignty regulations[1], 59% say they are adopting hybrid strategies and 56% are adopting multi-cloud strategies to adapt to regulatory requirements. In addition, 37% of financial services firms are limiting what data is kept in the cloud, while 35% are working with locally/regionally owned vendors.

In the survey, multi-cloud strategies are defined as those in which workloads, applications, and data are distributed across multiple public cloud providers. Hybrid cloud strategies are those in which workloads, applications, and data are distributed across a combination of public and private cloud or on-premises locations.

These shifts reflect a strategic and responsive approach to regulation, balancing compliance with innovation and operational resilience.

The relationship between rules and ROI

Regulatory frameworks vary by region. For example, one-third (33%) of APAC respondents say that they have had to change or update their cloud strategy extensively in response to data privacy, security and sovereignty regulations – compared with less than one-quarter (24%) of EMEA respondents. The APAC region’s jurisdictional cloud rules continue to evolve.  For example, respondents must comply with India’s Digital Personal Data Protection Act (2023) and the recent amendments to Australia’s Privacy Act, and updates are expected to Japan’s data rules within the next year.

One-third (33%) of Americas respondents say that regulatory changes are the top barrier to achieving expected ROI from cloud strategies. This result is driven by Canadian respondents, of which 96% say they made either moderate or extensive changes to their cloud strategies due to data privacy, security and sovereignty regulations. Canadian banks are implementing a Third-Party Risk Management guideline (April 2023), an Integrity and Security guideline (January 2024), and an Operational Risk Management and Resilience Guideline (August 2024). In the US, the new administration is expected to influence the direction of cloud regulation in time, and bilateral trade agreements may impact firms’ cloud strategies too.

Regulatory change is also a key issue for EMEA respondents, but in a slightly different way. “Data loss and leakage risks” is the top barrier to achieving expected ROI from cloud strategies at 31%. Tied with it are regulatory changes (31%) and compliance concerns (31%). The EU and UK have long had cloud rules for financial services firms, and the EU’s Digital Operational Resilience Act (DORA) is having a significant impact on cloud strategies.

Overall, cloud regulations are having an impact on the ROI that financial firms want to deliver on their cloud investments in all regions. However, in some areas, financial firms agree that the requirements can have a silver lining to drive ROI as they aim to increase operational resilience.  

[1] Data sovereignty regulations seek to ensure that data is subject to the laws and policies of the jurisdiction in which it was generated.

Read more about

Stay updated

Subscribe to an email recap from:

Legal Disclaimer

Republication or redistribution of LSE Group content is prohibited without our prior written consent. 

The content of this publication is for informational purposes only and has no legal effect, does not form part of any contract, does not, and does not seek to constitute advice of any nature and no reliance should be placed upon statements contained herein. Whilst reasonable efforts have been taken to ensure that the contents of this publication are accurate and reliable, LSE Group does not guarantee that this document is free from errors or omissions; therefore, you may not rely upon the content of this document under any circumstances and you should seek your own independent legal, investment, tax and other advice. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon.

Copyright © 2025 London Stock Exchange Group. All rights reserved.