A federal interagency organization has released a set of guidelines for cloud computing geared towards financial institutions. The Federal Financial Institution Examination Council (FFIEC) is an interagency body tasked with developing uniform standards and practices among agencies that perform financial institution examinations, such as the Federal Deposit Insurance Corporation (FDIC), and the Consumer Financial Protection Bureau. It released its report, “Outsourced Cloud Computing,” on July 10, 2012, in which it highlights some of the risks faced by financial institutions that use outsourced cloud computing services, or cloud computing applications run by a third-party vendor operating outside of the institution’s own firewalls. The risks affect both operations and compliance for financial institutions, but the guidelines offer useful concepts for other business entities as well, as outsourced cloud computing presents risks to any type of venture. It identified six key areas of risk and risk management.
Due Diligence in Selecting Service Providers
Businesses must carefully review the capabilities of prospective cloud computing service providers, balancing the cost-savings benefits of outsourcing with the risks of data loss or breach. They should identify a provider whose services match their own data security plan. The three key considerations for a third party’s services, according to the guidelines, are how it classifies data it manages in the cloud, how it segregates sensitive financial data from other clients’ data, and how it responds to data losses and other disasters.
Vendor Management
This is a two-pronged process, involving both the hiring and disengagement of a service provider. In considering whom to hire, a business must ensure that the service provider has knowledge and experience with data in the business industry, particularly if the business is a financial institution. If the provider cannot meet the business’ compliance needs, it must be disengaged.
Audits
A business must have a process in place to audit a service provider’s ability to meet the business’ operational and compliance needs. Of course, this requires the provider’s willingness to submit to reasonable audits.
Information Security
Financial institutions and most other businesses are legally responsible for their data security, regardless of who actually manages their data. Every business should maintain its own inventory of data that it stores in the cloud, and it should regularly check that the data actually stored in the cloud matches this inventory, It should also keep apprised of security incidents and have procedures for responding to incidents that occur in the service provider’s system.
Considerations for Legal and Regulatory Obligations and Reputation
A business needs to have a complete picture of its legal and regulatory responsibilities over its data before it engages a cloud service provider or deploys a cloud computing model. Financial institutions have particularly complex obligations, so they may serve as a good model for other businesses. Service provider contracts should specify the providers’ duties related to these legal and regulatory obligations. Businesses should also consider the impact on customers and the public if a breach of other security incident were to occur.
Business Continuity Planning
Financial institutions have stringent requirements for ensuring that their business may continue in the face of various types of disasters or losses. Such planning is prudent for any business, and the protection and maintenance of data stored in the cloud should be an important component of such a plan.
Prism Risk Management provides businesses and organizations with risk and loss prevention consulting and offers services in loss control planning. To learn how our team can help your organization, contact us today online or at (512) 901-0070.
Web Resources:
Outsourced Cloud Computing (PDF), Federal Financial Institutions Examination Council, July 10, 2012
More Blog Posts:
New Entrants in the Cloud Computing Sector Offer Options, Risks to Businesses, Prism Risk Management Blog, June 26, 2012
FTC Issues Report on Best Privacy Practices for Businesses that Collect Consumers’ Personal Information, Prism Risk Management Blog, May 31, 2012
Public Cloud Computing Has New Guidelines to Help Protect Users’ Privacy and Security, Prism Risk Management Blog, April 25, 2012
Photo credit: ‘Dollars funnel’ by Leonardini on stock.xchng.
Prism Risk Management, LLC 