Iowa Banking Law Blog
Cloud computing and financial institution responsibilities
Aug. 8, 2012 – Janet E. Phipps Burkhead, Iowa Banking Law Blog
The Federal Financial Institution Examination Council’s (FFEIC) Information Technology Subcommittee issued a recent paper addressing key risks of outsourced cloud computing. “Cloud computing” is a general term for anything that involves delivering hosted technology services over the Internet. Cloud computing has become more popular as businesses look to outside sources to provide infrastructure, computing platforms, and software as a service. Outsourcing to a cloud service provider can be advantageous to financial institutions because of potential benefits such as cost reduction, flexibility, scalability, improved load balancing, and speed.
The FFEIC’s recent paper identifies cloud computing as just another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing. As detailed in the FFEIC’s Outsourcing Booklet, a due diligence review should be performed to ensure that the provider will meet the institution’s requirements. Following are the potential issues identified by the FFEIC related to cloud computing:
Data classification: How sensitive is the data that will be place in the cloud and what controls should be in place to ensure it is properly protected? Does the cloud service provider appropriately encrypt or otherwise protect non-public personal
Data segregation: Will the financial institution’s data share resources with data from other cloud clients? If so, what controls does the service provider have to ensure the integrity and confidentiality of the financial institution’s data?
Recoverability: How will the service provider respond to disasters and ensure continued service? Do the financial institution’s disaster recovery and business continuity plans to include appropriate consideration of this form of outsourcing, the service provider’s disaster recovery and business continuity plans, and the availability of essential communications links?
Regulatory requirements: Is the service provider able to implement changes to meet regulatory requirements?
Disengagement: In the event of a contract termination, can the institution disengage without the loss and integrity of the data for a smooth transition to another provider?
Although many of the risks identified above are applicable to any outsourced provider, cloud computing may require more robust controls due to the nature of the service. Thorough due diligence and risk assessment specific to cloud computing services must be performed prior to entering into an agreement.
Industry Categories: Banks & Financial Institutions