Although cloud computing offers many potential benefits, it's not without risk. That's why the Federal Financial Institutions Examination Council (FFIEC) advises looking closely at outsourced cloud computing solutions before signing on for such a service.
"Outsourcing to a cloud service provider can [create] potential benefits such as cost reductions, flexibility, scalability, improved load balancing, and speed," the agency reports.
"Before approving any outsourcing of significant functions, it's important to ensure such actions are consistent with the institution's strategic plans and corporate objectives."
When selecting a cloud computing service, FFIEC advises financial institutions to address:
• Due diligence. Determine what controls will be in place to protect sensitive data, and make sure the cloud provider encrypts or otherwise protects data whose disclosure could harm either the institution or the consumer. Also, make sure the service provider has disaster recovery and business continuity plans, and can ensure continued service.
• Vendor management. Additional controls may be required if the service provider is unfamiliar with the financial industry and with the financial institution's legal and regulatory requirements for safeguarding consumer information and other sensitive data.
Credit unions need to determine the adequacy of the servicer's internal controls and whether these controls are functioning appropriately. They also may need to revise their information security policies, standards, and practices to incorporate activities related to cloud computing. In high-risk situations, continuous monitoring may be necessary to ensure a sufficient level of assurance that the servicer is maintaining effective controls.
• Legal, regulatory, and reputational risks. The nature of cloud computing may increase the complexity of compliance with applicable laws and regulations because consumer data may be stored or processed overseas. This may make compliance with related regulations more difficult.
Specify the cloud provider's obligations regarding your requirements for compliance with privacy laws, responding to and reporting security incidents, and fulfilling regulatory requirements to notify customers and regulators of any breaches.
• Business continuity planning. Does the provider have adequate plans and resources in place to ensure your continuity of operations if an unexpected disruption occurs?
"As with other service provider offerings," FFIEC reports, "cloud computing may not be appropriate for all financial institutions."