Outsourced Cloud Computing: FFIEC Warns of Pitfalls

By Amanda R. Yurechko, Esq.

On July 10, 2012 the Federal Financial Institution Examination Counsel (FFIEC) issued an opinion on cloud computing and the associated risk to the financial industry. Cloud computing is the buzz word used to describe a wide variety of business practices. The FFIEC struggled to find one definition of “cloud computing,” but in general described it as, “a migration from owned resources to shared resources in which client users receive information technology services, on demand, from third-party service providers via the Internet ‘cloud’.”  Cloud computing as a term can be used to describe service related products, meaning the provision of infrastructure, computing platforms and software, or deployment related products, meaning how the cloud service is provided. Clouds can be private to one organization, shared by communities of organizations, or public – open to any paying user.

When financial institutions outsource cloud computing, the risk increases just like with any other outsourced service.  The FFIEC directs financial institutions to its’ previously published, FFIEC Information Technology Examination Handbook (IT Handbook), and its Outsourcing Technology Services Booklet for discussion of these risks.

Highlighted by the FFIEC’s opinion are the following areas of risk that should be considered:

  • Due Diligence – Insuring the third-party’s activity is conducted in compliance with applicable laws and regulations in a safe and sound manner, in-line with the institution’s strategic plan and corporate objectives. The FFIEC opinion asks the financial institution to consider the classification of the data placed in the cloud.  For example, will the data be properly encrypted to protect non-public information from disclosure?  Will the information be housed on servers used by other clients and what controls will the vendor use to protect the data?  Finally, does the vendor have a disaster recovery plan?
  • Vendor Management – Vendors familiar with the regulations placed upon financial institutions should be chosen, and the financial institution should watch to ensure the proper changes are made by the vendor as regulations change. Also, the contract should clearly spell out who owns the data and how disputes may be resolved.
  • Audits – Financial intuitions should perform audits to ensure internal controls are functioning properly by auditors familiar with issues presented by cloud computing.
  • Information Security – Before entering into a relationship with a cloud computing vendor, the financial institution should ensure this relationship is in line with its own security policies, standards and practices. The FFIEC notes that continuous monitoring may be necessary to ensure the provider is maintaining the effective controls. Controls on information in the cloud should include identity and access management, and encryption. The financial institution should have a process to monitor, investigate and document security threats and incidents on its own server, as well as the cloud. The financial institution should also confirm that any data stored in the cloud can be completely removed at the end of the relationship.
  • Legal, Regulatory and Reputational Considerations – Contracts with the provider should clearly spell out the legal and regulatory requirements that the financial institution is bound by and that are attached to the storage of the data. The vendor may be overseas, the data stored overseas or the vendor is handling data from numerous sources with distinct requirements. The financial institution cannot rely on the vendor to know the applicable regulations.
  • Business Continuity Planning – Does the vendor have adequate plans and resources to restore data after destruction?

The FFIEC opinion notes that cloud computing may not be in every financial institution’s best interest if each of these issues can not be satisfactorily resolved before the start of the relationship.

Amanda is an attorney in Consumer & Commercial Collections of Weltman, Weinberg & Reis Co., LPA located in the Cleveland office. She can be reached at 216.685.1060 and ayurechko@weltman.com


2 thoughts on “Outsourced Cloud Computing: FFIEC Warns of Pitfalls

  1. It is interesting that the cloud computing issue is really nothing more than a form of IT outsourcing. The FFIEC opinion really is a simple re-iteration that you can outsource a function, but you neveer give up the responsibility for ensuring it is done right. Your requirement to manage the risks associated with the function never leaves you, but the outsourcing complicates it.

    Vendor management is really vendor relationship management (you never manage the vendor, and thinking that you do will get you into trouble.) What you manage is your relationship with that vendor–knowing what they owe you and what you owe them; understanding their stability, financial, risk, and business continuity; ensuring that what is written into the contract includes enforcable deliverables, terms that protect your interests, and no surprises; validating their contract performance periodically, not just when its time to renew.

    This same due diligence should really apply to all your purchases. The only difference depends on the criticality of the service or product the vendor provides.

  2. Cloud computing is really has a risk but if you don’t know how to manage it you will not see a good result,most of the time in Finland country IT companies share their ideas and thought for cloud computing sometimes risk is not problem if you done it very well.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s