Mobile, Cloud Security Guidance NeededSmaller Institutions Could Benefit from Regulators' Help
Last year, federal regulators issued FFIEC authentication guidance for online transactions. But, unfortunately, regulators apparently don't plan to issue additional guidance on the security issues involved in mobile banking and cloud computing.
Larger institutions don't really need guidance on these topics. Most are addressing risks out of necessity. Higher transaction volumes expose them to more fraud. Besides, they have the staff and budgets in place to help mitigate risks.
Smaller institutions are more likely to adequately address the risks involved in mobile banking and cloud computing if they receive additional guidance.
But smaller banking institutions - many of which are struggling to conform with the authentication guidance - would greatly benefit from some security and conformance direction on mobile banking and cloud computing from the Federal Financial Institutions Examination Council. Mobile and cloud are new frontiers for many of these organizations. So they need all the help they can get to adequately address emerging security issues.
William Henley, who serves as the associate director for the FDIC's Technology Supervision Branch, confirms that new FFIEC guidance tied to specific technologies - such as mobile and cloud - is not likely.
In a recent interview, Henley told me federal regulators are honing their approach to focus on so-called "governance-based guidance."
"We don't constantly want to be chasing every new technology that comes out," he said. "We would constantly be reactive, and it would be very difficult to keep up."
Rather than issuing guidance based on recommended controls for specific services and technologies, regulators want to issue guidance that deals with broader risk-mitigation strategies, best practices and due diligence.
A Helping Hand
The FFIEC issued updated authentication guidance for a reason: Regulators found that too many institutions were not adequately addressing online-banking risks.
Similarly, mid-tier and community-level institutions are more likely to adequately address the risks involved in mobile banking and cloud computing if they receive additional guidance.
The FFIEC is aware that many institutions need help in these arenas. That's why it issued a resource document this summer to address questions about cloud risks.
But that document fell far short of providing the comprehensive guidance that's needed, say critics, including security attorney Francois Gilbert (see FFIEC's New Cloud Info 'Disappointing').
Clearly, institutions of all sizes should be addressing risks based on their own environments, and then follow best practices outlined in existing guidance.
But let's face it. Smaller institutions need extra help dealing with the security issues involved in mobile banking and cloud computing. Otherwise, they're left to make assumptions, guessing about what controls and security layers are needed.