FFIEC Addresses Cloud Risks

Financial Regulators Issue Resource Clarifying Cloud Security
FFIEC Addresses Cloud Risks

The U.S. Federal Financial Institutions Examination Council has issued a resource document to help financial institutions better understand and address unique risks posed by outsourced cloud-based services.

See Also: From CNAPP to CDR: The Cybersecurity Road Ahead

"Cloud computing may require more robust controls due to the nature of the service," states the four-page resource, Outsourced Cloud Computing. "When evaluating the feasibility of outsourcing to a cloud-computing service provider, it is important to look beyond potential benefits and to perform a thorough due diligence and risk assessment of elements specific to that service."

Specifically, the document addresses due diligence, vendor management, information security, audits, legal and regulatory compliance, and business continuity planning.

"This resource document just tries to acknowledge some of the terms that might be unique to the cloud," says William Henley, association director of technology for the Federal Deposit Insurance Corp. Financial institutions should continue to follow the same fundamental guidelines and risk strategies outlined in the FFIEC Information Technology Examination Handbook, especially the Outsourcing Technology Services Booklet, when it comes to cloud providers, he adds.

"This document codifies what we should look to and for in the Outsourcing Technology Services Booklet," Henley says. "The expectation of the principles, we feel, should be applied to any vendor or outsourcing relationship. There may be vendors that are providing cloud services that are not familiar with financial institutions, so those vendors may not be aware of all of the requirements in the regulatory environment that apply to financial institutions, and this is why we issued the resource document."

What the Resource Includes

Rather than focusing on the nuances of cloud-service models, FFIEC instead focuses on steps institutions should take to address cloud-computing outsourcing in the following areas:

Due Diligence

The regulatory agencies warn that even when services are outsourced to third parties, financial institutions still bear responsibility for ensuring the security and compliance of those parties and their services.

Pointing to the FFIEC's Outsourcing Booklet, the agencies note that a due-diligence review is the responsibility of institutions, to ensure the cloud providers with which they work meet requirements for cost, quality of service, compliance and risk management.

The FFIEC highlights the following potential cloud-specific concerns:

  • Data classification: How sensitive is the data and what controls should be in place (i.e. encryption) to ensure it is properly protected?
  • Data segregation: Will the financial institution's data share resources with data from other cloud clients?
  • Recoverability: How will the service provider respond to disasters and ensure continued service?

Vendor Management

Many cloud service providers may require additional controls, especially if they are not familiar with legal and regulatory requirements that affect financial services.

Ensuring that cloud service providers comply with regulatory mandates is critical, as is a mechanism to be able to get out of the outsourcing relationship if necessary.

"It is important that contracts and service-level agreements are specific as to the ownership, location(s) and format(s) of data, and dispute resolution," the resource states.


To effectively evaluate and mitigate risk associated with cloud-based service providers, institutions also must determine the adequacy of the service providers' internal controls. The FFIEC notes that external auditors can assist with this evaluation by assessing whether those controls are functioning appropriately.

An institution's audit policies and procedures may need to be adjusted to address cloud computing, the document states. Likewise, audit staff may need additional training or personnel with expertise in shared environments and virtualized technologies.

Information Security

Regulators note that institutions may need to revise their information security policies, standards and practices to incorporate the activities related specifically to a cloud computing service providers.

Verifying the data handling procedures, the adequacy and availability of backup data and whether multiple service providers are sharing facilities also are important considerations. Thus, the onus is on financial institutions to ensure data can be removed from all locations where it is stored in the cloud.

"In high-risk situations, continuous monitoring may be necessary for financial institutions to have a sufficient level of assurance that the servicer is maintaining effective controls," the resource document states.

Legal, Regulatory, Reputational Considerations

Before deploying anything in a public cloud, banking institutions must ensure they have clearly identified and mitigated legal, regulatory and reputational risks.

Legal mandates and compliance standards from international jurisdictions must be considered, and financial institutions may find that their abilities to maintain compliance with those mandates and standards are too complex and difficult, the document points out.

"A financial institution should understand the applicability of laws and regulations within the hosting countries and the financial institution's ability to control access to its data," the FFIEC says.

Business Continuity Planning

Business continuity planning revolves around the recovery, resumption and maintenance of the entire business, including outsourced activities. The FFIEC notes that when institutions are considering outsourcing to a cloud-computing service provider, they must determine whether that service provider and the network carriers connected to the service have adequate plans and resources to ensure business continuity.

"Cloud computing revolves around a typical vendor-management relationship," Henley says. "Institutions need to know that their responsibilities are still the same; we hold them responsible for understanding how all their data and information is protected."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.