Once hailed as a secure perimeter for regulatory compliance, the cloud is now being re-examined through a more skeptical lens. As digital infrastructures evolve, so do the risks—raising questions about whether the cloud still shields firms or simply reshapes their exposure. The answer may lie in how firms reframe their approach to governance in the era of everything-as-a-service.
We’re living in an age of increasing risks, and with such risks, businesses are being required to consistently reassess how the technologies these technologies operate within their ecosystem. Do they remain a net positive, or are they becoming a bigger challenge to the organisation?
In the view of Stacey English, director of regulatory intelligence at Theta Lake, the cloud is ‘absolutely central’ to modern compliance, particularly as firms are increasingly relying on cloud-based communications platforms such as Slack, Teams and Zoom to engage and work with customers.
She said, “These platforms not only operate in the cloud but also require cloud-based compliance solutions—for communications capture, archiving, search, and risk detection—to meet regulatory obligations effectively. Leveraging the cloud for these capabilities delivers significant advantages, including scalability, global consistency, and the ability to enforce security and compliance controls uniformly across complex, distributed environments.”
Despite this, English admits that the benefits of cloud-based platforms must be matched with rigorous oversight and validation of controls.
She detailed, “At Theta Lake, independently audited frameworks like SOC 2 Type II, ISO 27001, HIPAA, PCI DSS, and TruSight are essential for providing customers with comprehensive assurance. These annual audits test controls around role-based access, encryption in transit and at rest, business continuity and disaster recovery, incident response, and more.”
English remarked that transparency – a key tenet in any organisation – plays a critical role, with the firm’s trust center giving customers access to valuable documentation, including penetration test results, architectural diagrams, API security standards and legal and regulatory disclosures.
“Capabilities like Bring Your Own Key (BYOK) and Bring Your Own Storage (BYOS) further enhance the security and compliance posture by reinforcing customer control over data ownership and portability within the cloud,” she concluded.
Balancing act
For South African RegTech RelyComply, depending on how its implemented, the cloud represents both a powerful perimeter and a potential risk vector.
The firm detailed, “When properly configured, cloud infrastructure offers advanced capabilities in encryption, access control, automated patching, and anomaly detection—all of which strengthen compliance posture and support regulatory readiness.
“However, it introduces new responsibilities. Financial institutions must ensure their cloud environments are rigorously segmented, access-controlled, and monitored. This includes clear data lineage, secure APIs, isolation of sensitive data, and infrastructure-as-code practices to avoid drift. The flexibility of cloud-native systems, especially for scaling analytics and detection systems, is challenging to replicate with legacy technologies. Still, misconfiguration remains a leading cause of exposure if not appropriately managed.”
New doors
Meanwhile, Baran Ozkan, CEO of Flagright, believes that moving to the cloud gives users unified security controls, built-in logging and automatic policy updates – claiming them to be massive advantages over scattered on-prem servers.
He went on, “But it also opens new doors if you misconfigure storage buckets or leave APIs wide open. The secret is a shared responsibility mindset with your provider, strict access rules and continuous watchdog monitoring. Tools like cloud-native security platforms, automated configuration scans and network segmentation keep you on the safe side while still enjoying all the cloud benefits.”
Keep up with all the latest RegTech news here
Copyright © 2025 RegTech Analyst
Copyright © 2018 RegTech Analyst
