Cloud computing has gone from being another hot technology buzzword to becoming an integral part of the IT puzzle. But for financial institutions, the pressure remains to ensure the utmost in security and compliance when deploying new technologies or adding new vendor relationships. In that sense, the cloud is no different.
While so much innovation is taking place in the cloud, banks are left in a problematic spot. Clearly, there are advantages, but at the same time, there are regulatory mandates for institutions to assure data is properly secured. One of the critical considerations, especially when working with an outside cloud vendor, is control.
Financial institutions must understand what standards are in place to:
- Protect data.
- Manage user access.
- Know where the data is located (in the United States or overseas?).
- Understand how the data flows in and out of the cloud provider.
- Determine whether data can be recovered in the event of a disaster.
- Be able to properly retrieve all your data if you cancel your service with that cloud vendor.
With these key standards in mind, risk management in the cloud isn’t necessarily all that different from risk management with regard to any new technology or vendor relationship. And when it comes to understanding the compliance issues inherent to the cloud, a good place to start is with the FFIEC, which states:
“The FFIEC Agencies consider cloud computing to be another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing.”
Benefits in mind, there are also a number of red flags financial institutions should watch out for through the course of due diligence. Things that, for some other industries might not mean as much, but within the realm of financial services, are critical.
- Cross-border datacenters / foreign-based providers—The biggest risk is not knowing where your data is located. Any cloud provider based outside the United States is subject to a different set of laws and operate under separate political regimes with different regulatory requirements. While geopolitical issues might not always come into play, any relationship with a foreign vendor will add a layer of complexity to your own risk management. Similar to the non-United States vendors, those cloud providers that ship data to other datacenters outside of U.S. borders are something to watch out for. Due to the nature of cloud data management, there is no easy way to guarantee that all of an institution’s data will remain within U.S. borders.
- Venture capital-backed startups—The last decade has seen a boom in tech startups building new services and tools that quickly become widely adopted. However, many of these are also funded by private capital, and might not yet have a clear profit model in mind. Perhaps they are planning to one day take the company public, or maybe they’re looking to be acquired by a larger, more established corporation. Ask yourself whether that business model is best for your data, and if the business model is to be acquired, will the terms and conditions of your existing contract carry over to the new entity.
- Consumer-targeted services—While services like DropBox and Google Apps have gained popularity among the general public, they represent a big potential weakness for financial institutions. There is little argument as to the convenience of these cloud services, but there is also very little centralized control. For instance, if an employee stores documents on DropBox to work on at home, when that employee leaves the company the institution has no control over access to those documents or the account itself. If that employee didn’t destroy those sensitive documents on his or her personal account, it can represent a risk to your institution.
- Data retention/destruction—Internal data retention and destruction policies must be observed regardless of where or how the data is stored. If the vendor stores data in multiple locations, ask if all instances are destroyed. The institution risks additional legal or regulatory exposure if data is either destroyed too early or too late. Should you end the relationship at any point, understand that the vendor disengagement process can be particularly challenging with cloud vendors. You can’t simply walk away, just as you can’t simply throw away an old hard drive. Ask up front whether the vendor irretrievably wipes data or if it is simply deleted.
With cloud service providers, the farther removed they are from providing a service exclusive to banking, the less familiar that vendor will be with the regulatory mandates financial institutions have to deal with on a day-to-day basis. A consumer product might work for the individual, but it doesn’t have the controls and considerations that might come standard with an enterprise product. And even then, an enterprise provider that works primarily outside the banking industry might not have products that properly align with the strict guidelines dictated by financial regulators.
It should not just be taken for granted that, as a financial institution, you are responsible for weighing these categories according to what you feel is appropriate for your institution. Regulators want to see that you are adequately managing these risks. The single most important control is the vendor contract. At the end of the day, most cloud services live outside of the bank itself. And as such, it opens institutions up to the same kind of responsibilities that come with any outsourced solution. From the FFIEC Handbook:
“The degree of oversight and review of outsourced activities will depend on the criticality of the service, process, or system to the institution’s operation.”
Any outsourcing decision must be made with awareness and acknowledgement of the risks. Remember this while selecting service providers, and be sure to document the selection process in order to prove “effective management.” It is about risk management—not cloud technology. And as you take steps toward incorporating cloud solutions, keep those best practices in mind. Avoid the red flags and ensure that the providers you do ultimately choose work closely with the banking industry and can provide the type of data privacy, security, confidentiality, integrity, and availability standards banks and credit unions require.
Safe Systems provides compliance-centric IT solutions exclusively to financial institutions.