FFIEC Issues Risk Management Guidance for Cloud Computing
On July 10, the Federal Financial Institutions Examination Council (FFIEC) issued risk management guidance for depository institutions’ use of cloud computing. The guidance defines cloud computing generally as “a migration from owned resources to shared resources in which client users receive information technology services, on demand, from third-party service providers via the Internet ‘cloud.’” The guidance also considers cloud computing to be a form of outsourcing subject to the risk management requirements set forth in the FFIEC Information Technology Examination Handbook for Outsourcing Technology Services.
The key risk management controls for cloud computing identified in the guidance are:
- Due Diligence – Institutions should conduct due diligence with respect to the cloud computing provider to assess the provider’s controls to protect the confidentiality and integrity of data stored in the cloud, to determine whether data will be stored on servers used by other clients of the provider and, if so, the provider’s access controls, and to evaluate the provider’s disaster recovery and business continuity plans.
- Vendor Management – Institutions may require additional controls to manage cloud computing providers that have little experience with financial institution clients and may determine that retention of a particular provider is unacceptable due to the provider’s unwillingness or inability to satisfy bank regulators’ supervisory guidance.
- Audit – Institutions’ audit coverage should include outsourced cloud computing.
- Information Security – Institutions should incorporate cloud computing services in existing information security policies, standards, and practices and ensure that data is protected and access to data is properly restricted. An institution also should effectively monitor data security threats to the institution’s systems and to the provider’s systems and develop incident response methodologies.
- Legal, Regulatory, and Reputational Considerations – Institutions should assess the extent to which cloud computing services increase the complexity of complying with applicable legal and regulatory requirements. In addition, contracts with cloud computing providers should specify the providers’ obligations with respect to institutions’ responsibilities for compliance with privacy laws, for responding to and reporting security incidents, and for fulfilling regulatory requirements to notify customers and regulators of any breaches.
- Business Continuity – Institutions should determine whether the provider and the provider’s network carriers have adequate plans and resources to ensure institutions’ continuity of operations, as well as the ability to recover and resume operations if an unexpected disruption occurs.