U.S. bank regulators warn on due diligence in using cloud computing services
Bank regulators this week raised their warnings to financial institutions on the dangers of using vendors that provide so-called “cloud computing” services.
Cloud computing lets businesses outsource data storage and transactions to vendors that host remote datacenters that can only be accessed over the internet. The model allows the companies to change their information technology without buying and setting up new systems.Bank regulators, however, want financial firms to do a better job of evaluating their vendors’ practices, citing the fact that a number of cloud computing vendors have suffered data breaches.
Cloud computing is another form of outsourcing, with the same basic characteristics and risk management requirements as traditional forms of outsourcing, the Federal Financial Information Examination Council said in a statement this week.
“Cloud computing may require more robust controls due to the nature of the service. When evaluating the feasibility of outsourcing to a cloud computing service provider, it is important to look beyond potential benefits and to perform a thorough due diligence and risk assessments of elements specific to that service,” the FFIEC said.
The FFIEC is a council of regulators that includes the Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.
The FFIEC regulators warned firms that they would need to establish a sound risk management plan that incorporates vendor management, information security, and business continuity planning.
The FFIEC statement follows a June letter by the FDIC to deposit-taking institutions, urging them to conduct more background checks on their vendors after FIS, a banking and payments technology provider, suffered a breach that cost the company $12.7 million in fraud-related losses.
A month earlier, Thomas Curry, who heads the OCC, warned that the risk of loss due to failures of people, processes and systems was increasing because of the growing complexity of today’s banking markets and the technology that underpins it.
Due diligence in measuring and monitoring the risk from third-party relationships is an essential part of a bank’s risk management, Curry said.
Read the full statement here: http://www.finextra.com/finextra-downloads/newsdocs/cloud_computing.pdf