Outsourced Cloud Computing: FFIEC Warns of Pitfalls

On July 10, 2012 the Federal Financial Institution Examination Counsel (FFIEC) issued an opinion on cloud computing and the associated risk to the financial industry. Cloud computing is the buzz word used to describe a wide variety of business practices. The FFIEC struggled to find one definition of “cloud computing,” but in general described it as, “a migration from owned resources to shared resources in which client users receive information technology services, on demand, from third-party service providers via the Internet ‘cloud’.” Cloud computing as a term can be used to describe service related products, meaning the provision of infrastructure, computing platforms and software, or deployment related products, meaning how the cloud service is provided. Clouds can be private to one organization, shared by communities of organizations, or public - open to any paying user.

When financial institutions outsource cloud computing, the risk increases just like with any other outsourced service.  The FFIEC directs financial institutions to its’ previously published, FFIEC Information Technology Examination Handbook (IT Handbook), and its Outsourcing Technology Services Booklet for discussion of these risks.

Highlighted by the FFIEC’s opinion are the following areas of risk that should be considered:

• Due Diligence – Insuring the third-party’s activity is conducted in compliance with applicable laws and regulations in a safe and sound manner, in-line with the institution’s strategic plan and corporate objectives. The FFIEC opinion asks the financial institution to consider the classification of the data placed in the cloud.  For example, will the data be properly encrypted to protect non-public information from disclosure?  Will the information be housed on servers used by other clients and what controls will the vendor use to protect the data?  Finally, does the vendor have a disaster recovery plan?
• Vendor Management – Vendors familiar with the regulations placed upon financial institutions should be chosen, and the financial institution should watch to ensure the proper changes are made by the vendor as regulations change. Also, the contract should clearly spell out who owns the data and how disputes may be resolved.
• Audits – Financial intuitions should perform audits to ensure internal controls are functioning properly by auditors familiar with issues presented by cloud computing.
• Information Security – Before entering into a relationship with a cloud computing vendor, the financial institution should ensure this relationship is in line with its own security policies, standards and practices. The FFIEC notes that continuous monitoring may be necessary to ensure the provider is maintaining the effective controls. Controls on information in the cloud should include identity and access management, and encryption. The financial institution should have a process to monitor, investigate and document security threats and incidents on its own server, as well as the cloud. The financial institution should also confirm that any data stored in the cloud can be completely removed at the end of the relationship.
• Legal, Regulatory and Reputational Considerations – Contracts with the provider should clearly spell out the legal and regulatory requirements that the financial institution is bound by and that are attached to the storage of the data. The vendor may be overseas, the data stored overseas or the vendor is handling data from numerous sources with distinct requirements. The financial institution cannot rely on the vendor to know the applicable regulations.
• Business Continuity Planning – Does the vendor have adequate plans and resources to restore data after destruction?