On July 10, 2012, the Federal Financial Institutions Examination Council (FFIEC)1 issued a statement (the "FFIEC Statement") cautioning financial institutions to undertake thorough due diligence and risk assessment for outsourced cloud computing arrangements.2 While affirming that "the fundamentals of risk and risk management" for other forms of outsourcing (as described in the FFIEC Information Technology Examination Handbook3) apply to cloud computing, the FFIEC Statement concludes that "[c]loud computing may require more robust controls due to the nature of the service."
The FFIEC Statement highlights six key elements of outsourced cloud computing implementation and risk management: (i) due diligence; (ii) vendor management; (iii) auditing; (iv) information security; (v) legal, regulatory and reputational considerations and (vi) business continuity planning. In general, the FFIEC Statement reiterates the importance of these functions, while identifying particular areas of concern for each with respect to outsourced cloud computing, including data handling and storage. The FFIEC Statement identifies data classification, data segregation and recoverability as potential issues in outsourced cloud computing arrangements. In particular, the FFIEC Statement advises that financial institutions should implement or maintain the following information security controls: "a comprehensive data inventory and suitable data classification process," appropriate access restrictions to customer data through identity and access management, effective monitoring of security incidents, comprehensive incident response methodologies and "appropriate forensic strategies for investigation and evidence collection." According to the FFIEC Statement, verifying data handling procedures, the adequacy and availability of backup data and whether providers share facilities are important considerations. Vendors that are unfamiliar with regulatory requirements may require additional controls, and multi-tenant deployments may increase the need for data protection through encryption and assurances that proper controls are in place. The FFIEC expects financial institutions to identify, mitigate, understand and appropriately address attendant legal and regulatory risks, noting that assessing compliance may be more complex where data is stored overseas or comingled with data for customers that operate under diverse legal and regulatory regimes. Consistent with these statements, the FFIEC also identifies several issues that should be specifically addressed in outsourced cloud computing agreements: (i) ownership, locations and formats of data; (ii) dispute resolution; (iii) the removal or deletion of non-public personal information ("NPPI") from the vendor's systems upon expiration or termination of the services and (iv) the vendor's obligations with respect to the financial institutions' responsibilities for compliance with privacy laws, for responding to and reporting security incidents, and for fulfilling regulatory requirements to notify customers and regulators of any breaches.
Although it is thin on details, the FFIEC Statement is a clear indication that regulators view current risk management guidelines as appropriate for cloud-based outsourcing solutions, but expect a higher level of scrutiny in the application of such guidelines by financial institutions. Importantly, the FFIEC Statement sends a clear signal to the bargaining table that it expects arrangements between financial institutions and cloud computing vendors to adequately account for certain legal and regulatory requirements and that the "potential benefits such as cost reduction, flexibility, scalability, improved load balancing, and speed" do not obviate this need. Two particular lines addressing data security in the FFIEC Statement appear to significantly caution financial institutions. Namely, that (i) "entering into a third-party relationship . . . may be ill advised" (emphasis added) if a financial institution cannot be sure that its data is sufficiently protected and controlled by such third party and (ii) "it is prudent to ensure that the cloud-computing service provider can remove NPPI from all locations where it is stored" (emphasis added) before entering into a relationship with such service provider. For those who have been hoping that the regulatory landscape would be adapted to better align with the nature of cloud based solutions, the FFIEC Statement may disappoint. Instead, it advocates application of current regulations in their existing form and implies that the cloud vendors will have to adapt and align their solutions to the legacy regulatory environment if they want to sell to the lucrative financial services market. Time will tell whether any added expenses associated with regulatory compliance will negate the cost savings benefits of the cloud model or otherwise dampen the excitement in the financial services industry generated by the number of new cloud-based outsourcing solutions offered by service providers.