The Technology Subcommittee of the Federal Financial Institution Examination Council (“FFIEC”) -- the interagency body responsible for prescribing uniform principles and standards for federal financial institution examinations -- recently released a statement highlighting the operational and compliance risks related to “outsourced cloud computing.” Outsourced cloud computing involves the practice of engaging a third-party vendor to deploy part or all of a core business application or service outside the corporate firewall using Internet-based application architectures, frequently in shared computing environments. Cloud computing arrangements can speed up application deployment times, increase operational flexibility, provide for business continuity in case of disruptions caused by natural disasters and outages, and reduce IT costs, but may introduce additional regulatory and data management risks. The FFIEC whitepaper follows a similar paper issued by the National Institute for Standards and Technology in December 2011 titled “Guidelines on Security and Privacy in Public Cloud Computing."
The nonbinding FFIEC statement supplements guidance contained in the FFIEC Outsourcing Booklet and identifies the following major risk management issues financial institutions should consider before deploying a cloud-based solution:
Cloud computing may introduce data classification, data segregation, and data recoverability issues because sensitive customer data formerly stored behind the firewall may now be housed on servers shared with other vendor customers, and may be transmitted over shared networks. Financial institutions should ensure that cloud vendors have adequate controls in place to protect sensitive data, and permit data recovery in case of an unauthorized breach or service interruption. Cloud-based vendors must also be able to demonstrate that they understand the regulatory requirements that financial institutions face.
Financial institutions should have a vendor review process in place to evaluate whether a given cloud vendor can meet regulatory requirements, and should account for vendor disengagement in all contracts.
Financial institutions should develop vendor audit plans and ensure that auditors possess expertise with cloud computing environments in order to properly evaluate a vendor and mitigate risk.
Before engaging a vendor, financial institutions should review and update their information security plans and procedures in order to ensure adequate protection of important customer data stored in the cloud. These plans and procedures should account for cloud-based application architectures in access management policies, data backup procedures, and policies regarding the use of shared data facilities.
Financial institutions should update their regulatory compliance models to account for jurisdictional differences they may encounter when deploying a cloud solution. Cloud vendors often store data overseas, and financial institutions should be aware of the differing privacy, information security, and data breach notice requirements in various jurisdictions.
While enhanced business continuity is one of the major benefits of cloud computing, financial institutions should closely evaluate whether the cloud vendor itself possesses adequate business continuity and recovery plans to meet the financial institution’s needs. Millions of consumers use mobile banking and online payment solutions dependent in whole or in part on cloud computing. Financial institutions that wish to benefit from the potential advantages of cloud computing should develop plans to mitigate inherent regulatory and operational risks before deploying such solutions.