On July 10, 2012, the Federal Financial Institutions Examination Council (FFIEC) issued a statement (the "FFIEC Statement") cautioning financial institutions to undertake thorough due diligence and risk assessment for outsourced cloud computing arrangements. While affirming that "the fundamentals of risk and risk management" for other forms of outsourcing (as described in the FFIEC Information Technology Examination Handbook) apply to cloud computing, the FFIEC Statement concludes that "[c]loud computing may require more robust controls due to the nature of the service."

The FFIEC Statement highlights six key elements of outsourced cloud computing implementation and risk management: (i) due diligence; (ii) vendor management; (iii) auditing; (iv) information security; (v) legal, regulatory and reputational considerations and (vi) business continuity planning. In general, the FFIEC Statement reiterates the importance of these functions, while identifying particular areas of concern for each with respect to outsourced cloud computing, including data handling and storage. The FFIEC Statement identifies data classification, data segregation and recoverability as potential issues in outsourced cloud computing arrangements.

Please see full alert below for more information.