Iowa Banking Law Blog

Cloud computing and financial institution responsibilities
Aug. 8, 2012The Dickinson Law Newsroom, Iowa Banking Law Blog
Cloud Computing

The Federal Financial Institution Examination Council’s (FFEIC) Information Technology Subcommittee issued a recent paper addressing key risks of outsourced cloud computing.  “Cloud computing” is a general term for anything that involves delivering hosted technology services over the Internet.  Cloud computing has become more popular as businesses look to outside sources to provide infrastructure, computing platforms, and software as a service.  Outsourcing to a cloud service provider can be advantageous to financial institutions because of potential benefits such as cost reduction, flexibility, scalability, improved load balancing, and speed.

The FFEIC’s recent paper identifies cloud computing as just another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing.  As detailed in the FFEIC’s Outsourcing Booklet, a due diligence review should be performed to ensure that the provider will meet the institution’s requirements.  Following are the potential issues identified by the FFEIC related to cloud computing:

Data classification:  How sensitive is the data that will be place in the cloud and what controls should be in place to ensure it is properly protected?  Does the cloud service provider appropriately encrypt or otherwise protect non-public personal
information (NPPI) and other data?

Data segregation: Will the financial institution’s data share resources with data from other cloud clients?  If so, what controls does the service provider have to ensure the integrity and confidentiality of the financial institution’s data?

Recoverability: How will the service provider respond to disasters and ensure continued service? Do the financial institution’s disaster recovery and business continuity plans to include appropriate consideration of this form of outsourcing, the service provider’s disaster recovery and business continuity plans, and the availability of essential communications links?

Regulatory requirements: Is the service provider able to implement changes to meet regulatory requirements?

Disengagement:  In the event of a contract termination, can the institution disengage without the loss and integrity of the data for a smooth transition to another provider?

Although many of the risks identified above are applicable to any outsourced provider, cloud computing may require more robust controls due to the nature of the service.  Thorough due diligence and risk assessment specific to cloud computing services must be performed prior to entering into an agreement.

share this page:
  • Facebook
  • LinkedIn
  • Twitter
  • Google Bookmarks
  • StumbleUpon
  • Digg
Industry Categories: Banks & Financial Institutions
Practice Area Categories: Banking Law, Business Law

Latest Articles

Dickinson Law and Meals From the Heartland

Together with their families, roughly 25 attorneys and staff of Dickinson Law spent last Saturday […]

Our fourth annual Open House

Four years ago, Dickinson Law launched an art program at the firm to give Iowa artists […]

Former DOL District Director Michael J. Staebell joins Dickinson Law

We are pleased to announce that Mike Staebell, who retired last December after 33 years […]