FDIC on Disaster Recovery

Regulator Says Working in Cloud Requires Proactive Vendor Management
FDIC examiner Donald Saxinger says cloud computing can pose challenges when it comes to business continuity during disasters. Proactive vendor management, he says, is the best way to address potential hiccups before they become big problems.For many financial institutions, vendor management has become routine. Most rely on service level agreements with core processors to serve as the example. But as more institutions turn to the cloud as a way to control costs and streamline operational efficiencies, Saxinger, team leader and subject expert for the Federal Deposit Insurance Corp.'s Division of Supervision and Consumer Protection in the area of regulatory IT examinations, says many banks take too much for granted. Working in the cloud, Saxinger says, means banks have to put additional planning into the ways they manage vendor programs, especially when it comes to business continuity.

"We listed some guidance back in 2008 and it covers a lot of new areas [such as cloud computing] and a lot of traditional areas," Saxinger sys. "Reliance on interdependencies is something we highlighted here. ... Even if you are working in the cloud, you can't work in a vacuum. You have to work together to test systems. Just because you outsource does not mean you eliminate risk."

Many questions about the resilience of the cloud also exist, meaning banks really need to have a thorough understanding of how the vendors they rely on back up their regional and physical systems. "There's probably a lot more planning that needs to go into which elements are covered by the cloud's recovery process," Saxinger says.

During this second part of a two-part interview with Information Security Media Group, Saxinger discusses:

  • Lessons the industry learned about cloud downfalls from the Amazon.com outage;
  • How disaster recovery during severe storms can be foiled if service level agreements with cloud vendors are not clearly spelled out;
  • Why testing is so critical, before an outage occurs.

Be sure to also listen to part 1, when Saxinger talks about vendor management programs and the heightened scrutiny they are now getting from regulators, especially in areas of emerging technology. [See FDIC on Improving Vendor Management.]

Saxinger is the team leader and subject expert for the FDIC's Division of Supervision and Consumer Protection in the area of regulatory IT examinations. He serves as the lead developer of the FDIC's IT examination standards and procedures, IT examiner education, and IT examination oversight. He has authored or contributed to various regulatory policies such as third-party risk and outsourcing, business continuity, payment systems, authentication, identity theft, spyware, and other emerging technologies. He is also a member of the FFIEC IT Examination Handbook working group which publishes the interagency guidance and examination procedures for various IT, payment, and operational risk areas.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.