Financial institutions should apply the same risk management strategies and considerations to outsourced "cloud computing" activities as are required with more traditional forms of outsourcing, according to a statement issued July 10th by the Federal Financial Institution Examination Counsel (FFIEC).
The FFIEC’s statement explains that while there is no universal definition of "cloud computing," it generally involves a migration from owned resources to shared resources, through which a user can access and receive information technology services on demand from third-parties via the online "cloud." Cloud computing can be used to provide infrastructure, computing platforms, and software, and a cloud may be operated privately by one organization, as a community cloud shared by several organizations, as a public cloud available to any paying customer, or as a hybrid combination of two or more private, community or public clouds.
Although a financial institution’s use of outsourced cloud computing can have many potential benefits, such as cost reduction, flexibility and speed, the FFIEC statement indicates that the fundamentals of risk and risk management defined in the FFIEC Information Technology Examination Handbook (IT Handbook), particularly the Outsourcing Technology Services Booklet (Outsourcing Booklet), are as applicable to cloud computing as to other forms of information technology outsourcing. The nature of a cloud computing environment can increase the complexity of issues a financial institution may face with regard to information security, legal and regulatory considerations, and business continuity of outsourced operations. Financial institutions should perform adequate due diligence reviews, practice good vendor management, and use audits to evaluate the adequacy of a cloud service provider’s internal controls, as described in more detail in the IT Handbook and Outsourcing Booklet. Bankers should seek legal advice and review of outsourcing contracts and perform careful risk assessments before deciding to deploy a cloud computing model.