On July 10, 2012, the Federal Financial Institutions Examination Council (“FFIEC”) released a statement on outsourced cloud computing activities. The statement, which was prepared by the FFIEC Information Technology Subcommittee, discusses key risk considerations associated with using third-party vendors to implement cloud computing solutions, and identifies applicable risk mitigation considerations contained in the various booklets that comprise the FFIEC IT Examination Handbook. The statement indicates that the FFIEC agencies “consider cloud computing to be another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing.” The paper focuses on addressing key risks of outsourced cloud computing identified in existing guidance. Key points include the following:
- Due diligence: A due diligence review should be performed to ensure that the provider will meet the financial institution’s requirements in terms of compliance with regulatory requirements, risk management and other important issues.
- Vendor management: “Managing a cloud computing service provider may require additional controls if the servicer is unfamiliar with the financial industry and the financial institution’s legal and regulatory requirements for safeguarding customer information and other sensitive data….Disengagement of a service provider is another aspect of vendor management that can be complicated in cloud computing….It is important that contracts and service level agreements are specific as to the ownership, location(s) and format(s) of data, and dispute resolution.”
- Audit: “To effectively evaluate the risk and risk mitigation associated with the use of third-party servicers, a financial institution must determine the adequacy of a servicer’s internal controls.”
- Information Security: The FFIEC statement emphasizes the importance of ensuring adequate information security.
- Legal, Regulatory, and Reputational Considerations: “Important considerations for financial institutions before deploying a public cloud computing model include clearly identifying and mitigating legal, regulatory, and reputational risks….A financial institution should understand the applicability of laws and regulations within the hosting countries and the financial institution’s ability to control access to its data. Contracts with the cloud-computing service providers should specify the servicers’ obligations with respect to the financial institutions’ responsibilities for compliance with privacy laws, for responding to and reporting about security incidents, and for fulfilling regulatory requirements to notify customers and regulators of any breaches.”
- Business Continuity Planning: “[F]inancial institutions need to determine whether the servicer and the network carriers have adequate plans and resources to ensure the financial institution’s continuity of operations, as well as its ability to recover and resume operations if an unexpected disruption occurs.”
The FFIEC statement concludes by noting that the “fundamentals of risk and risk management defined in the IT Handbook apply to cloud computing as they do to other forms of outsourcing,” but that cloud computing “may require more robust controls due to the nature of the service.”