FFIEC Releases Statement on Cloud Computing Risks and Considerations

more+
less-

The Federal Financial Institution Examination Council (FFIEC), an interagency body that advises a number of federal agencies on appropriate standards for the regulation of financial institutions, recently released a statement on cloud computing. In essence, the Council considers cloud computing "to be another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing." Some topics addressed in the statement that were considered important elements for a sound risk management policy include: vendor management, data segregation and recoverability, information security, audit rights, legal and regulatory compliance, and business continuity planning. The statement stressed that a financial institution’s use of third parties to achieve its strategic plan does not diminish the responsibility of the board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws and regulations.