FFIEC: Consider Risks of Outsourced Cloud Computing

Understand the risks associated with outsourced cloud computing.

September 1, 2012

Understand the risks associated with outsourced cloud computing, warns the Federal Financial Institutions Examination Council (FFIEC) in a recent statement.

The agency defines cloud computing as a “migration from owned resources to shared resources in which client users receive information technology services, on demand, from third-party service providers via the Internet ‘cloud.’

Outsourcing to a cloud service provider offers potential benefits such as cost reduction, flexibility, and speed. But any credit union considering using a cloud computing service must perform a thorough risk assessment and due diligence review to ensure the provider meets your expectations for cost, quality of service, compliance with regulatory requirements, and risk management. 

Managing a cloud computing service provider may require additional safeguards if the provider isn’t familiar with the financial services industry and your legal and regulatory requirements to protect member information and other sensitive data.

Contracts with the cloud computing service providers should specify the providers’ obligations regarding:

Fulfilling the credit union’s responsibilities for compliance with privacy laws;

Responding to and reporting security incidents; and

Fulfilling regulatory requirements to notify members and regulators of any breaches.

The credit union must determine the adequacy of the provider’s internal controls, and adjust information technology (IT) audit policies and practices as needed to ensure proper evaluation of shared cloud environments.

There are unique security concerns when storing data in shared computing environments (e.g., increased frequency and/or complexity of security incidents). In high-risk situations, continuous monitoring may be necessary to ensure the service provider is maintaining effective controls.

Credit unions must address these risks in their information security policies and procedures. 

Credit unions also must consider whether providers and network carriers have adequate plans and resources to ensure continuity of operations, as well as the ability to recover and resume operations if an unexpected disruption occurs. 

Find more information in the FFIEC IT Examination Handbook at