On July 11, 2012, the federal financial regulatory agencies, through the Federal Financial Institutions Examination Council (“FFEIC”), issued a joint interagency statement (the “Statement”) on the use of cloud computing services by financial institutions. In particular, the statement focused on the risks associated with such services. Cloud computing provides its users with information technology (“IT”) services through the internet, rather than through owned or leased IT servers or platforms. This outsourcing of IT services offers many benefits to users, including increased operational efficiencies, lower costs and better backup services. However, the FFIEC warns that use of cloud computing involves many of the same risks as traditional IT outsourcing, as well as certain risks that are particular to cloud computing.
The Statement first focuses on the due diligence that a financial institution should perform before outsourcing any significant IT functions to a cloud computing vendor. A financial institution should understand how the vendor encrypts data, segregates the data of its various users, and backs up the data in the cloud. The Statement also recommends confirming with the cloud computing vendor that it is aware that a financial institution, as a client, has particular regulatory requirements for safeguarding its customer data. The vendor should be able to meet such requirements, and adapt its services should any of the requirements change.
The Statement also discusses the internal adjustments that a financial institution needs to make to use cloud computing properly. Auditing practices should be updated to be able to determine if a vendor’s internal controls are sufficient. A financial institution may also need to provide its internal auditors with additional training or hire additional personnel to ensure sufficient experience with shared environments and virtualized technologies.
The Statement also recommends that financial institutions using cloud computing revise their information security policies and practices. Maintaining data privacy is still ultimately the financial institution’s responsibility, so additional monitoring and data inventory may be required to ensure compliance. Lastly, financial institutions need to review the legal, regulatory and reputational considerations that must be addressed when a financial institution uses cloud computing. Financial institutions should also revise their business continuity plans to reflect the use of such new services.