FFIEC Addresses Cloud RisksFinancial Regulators Issue Resource Clarifying Cloud Security
The U.S. Federal Financial Institutions Examination Council has issued a resource document to help financial institutions better understand and address unique risks posed by outsourced cloud-based services.
"Cloud computing may require more robust controls due to the nature of the service," states the four-page resource, Outsourced Cloud Computing. "When evaluating the feasibility of outsourcing to a cloud-computing service provider, it is important to look beyond potential benefits and to perform a thorough due diligence and risk assessment of elements specific to that service."
Specifically, the document addresses due diligence, vendor management, information security, audits, legal and regulatory compliance, and business continuity planning.
"This resource document just tries to acknowledge some of the terms that might be unique to the cloud," says William Henley, association director of technology for the Federal Deposit Insurance Corp. Financial institutions should continue to follow the same fundamental guidelines and risk strategies outlined in the FFIEC Information Technology Examination Handbook, especially the Outsourcing Technology Services Booklet, when it comes to cloud providers, he adds.
"This document codifies what we should look to and for in the Outsourcing Technology Services Booklet," Henley says. "The expectation of the principles, we feel, should be applied to any vendor or outsourcing relationship. There may be vendors that are providing cloud services that are not familiar with financial institutions, so those vendors may not be aware of all of the requirements in the regulatory environment that apply to financial institutions, and this is why we issued the resource document."
What the Resource Includes
Rather than focusing on the nuances of cloud-service models, FFIEC instead focuses on steps institutions should take to address cloud-computing outsourcing in the following areas:
The regulatory agencies warn that even when services are outsourced to third parties, financial institutions still bear responsibility for ensuring the security and compliance of those parties and their services.
Pointing to the FFIEC's Outsourcing Booklet, the agencies note that a due-diligence review is the responsibility of institutions, to ensure the cloud providers with which they work meet requirements for cost, quality of service, compliance and risk management.
The FFIEC highlights the following potential cloud-specific concerns:
- Data classification: How sensitive is the data and what controls should be in place (i.e. encryption) to ensure it is properly protected?
- Data segregation: Will the financial institution's data share resources with data from other cloud clients?
- Recoverability: How will the service provider respond to disasters and ensure continued service?
Many cloud service providers may require additional controls, especially if they are not familiar with legal and regulatory requirements that affect financial services.
Ensuring that cloud service providers comply with regulatory mandates is critical, as is a mechanism to be able to get out of the outsourcing relationship if necessary.
"It is important that contracts and service-level agreements are specific as to the ownership, location(s) and format(s) of data, and dispute resolution," the resource states.
To effectively evaluate and mitigate risk associated with cloud-based service providers, institutions also must determine the adequacy of the service providers' internal controls. The FFIEC notes that external auditors can assist with this evaluation by assessing whether those controls are functioning appropriately.
An institution's audit policies and procedures may need to be adjusted to address cloud computing, the document states. Likewise, audit staff may need additional training or personnel with expertise in shared environments and virtualized technologies.
Regulators note that institutions may need to revise their information security policies, standards and practices to incorporate the activities related specifically to a cloud computing service providers.
Verifying the data handling procedures, the adequacy and availability of backup data and whether multiple service providers are sharing facilities also are important considerations. Thus, the onus is on financial institutions to ensure data can be removed from all locations where it is stored in the cloud.
"In high-risk situations, continuous monitoring may be necessary for financial institutions to have a sufficient level of assurance that the servicer is maintaining effective controls," the resource document states.
Legal, Regulatory, Reputational Considerations
Before deploying anything in a public cloud, banking institutions must ensure they have clearly identified and mitigated legal, regulatory and reputational risks.
Legal mandates and compliance standards from international jurisdictions must be considered, and financial institutions may find that their abilities to maintain compliance with those mandates and standards are too complex and difficult, the document points out.
"A financial institution should understand the applicability of laws and regulations within the hosting countries and the financial institution's ability to control access to its data," the FFIEC says.
Business Continuity Planning
Business continuity planning revolves around the recovery, resumption and maintenance of the entire business, including outsourced activities. The FFIEC notes that when institutions are considering outsourcing to a cloud-computing service provider, they must determine whether that service provider and the network carriers connected to the service have adequate plans and resources to ensure business continuity.
"Cloud computing revolves around a typical vendor-management relationship," Henley says. "Institutions need to know that their responsibilities are still the same; we hold them responsible for understanding how all their data and information is protected."