October 15, 2012

In their latest statement on managing cloud computing risks, the FFIEC has made it clear that cloud vendors must adhere to the same due diligence, contract and monitoring guidelines as any other vendor. In other words, the decision must be consistent with the strategic goals of the institution, the vendor must still address information security concerns and must satisfactorily recover and resume operations in the event of a disaster. However, there are several often-overlooked elements that must be considered prior to engaging any cloud-based vendor; elements that may very well be deal breakers if not handled properly.

1. Do they contractually hold themselves to the same high data privacy, security, confidentiality, integrity and availability standards required of financial institutions?

It used to be understood that anyone offering services to financial institutions had to contractually adhere to GLBA guidelines, but with all the relatively new vendors competing for business, it can’t be assumed or taken for granted any more. Make sure the contract stipulates it.

2. If so, can they document adherence to that standard by producing a third-party report, like the SOC 2?

Even if the contract stipulates adherence, you must determine the adequacy and effectiveness of a servicer’s internal controls by requesting, receiving and reviewing the appropriate third-party report prior to engaging…and then periodically throughout the relationship.

3. Do you know exactly where your data will be physically stored?

Both the biggest strength and the biggest weakness for cloud vendors is in the redundant and distributed nature of the data. Having data stored multiple times in multiple locations throughout the country is great for high availability, but makes it almost impossible to ensure compliance with your policies for proper handling and storing of information. You must know where you data is located at all times, and how it gets there. And if your data is ever transmitted or stored outside the U.S., you’ll need to understand the rules and regulations of the hosting country.

4. Will they retain and destroy information consistent with your internal data retention policies?

Internal retention and destruction policies must be observed regardless of how or where the data is stored. If the data is stored in multiple locations, all occurrences must be destroyed. It is important that their policies are in alignment with yours, because there may be additional regulatory and legal exposure if data is either destroyed too early, or retained too long.

5. What happens to your data once your relationship with the vendor is terminated?

The vendor disengagement process is particularly challenging with cloud vendors because you can’t simply walk away any more than you can just throw out a hard drive. The data must be irretrievably wiped, not simply deleted. The same refers to the encryption keys.

6. Do they have a broad and deep familiarity with the regulatory requirements of the financial industry?

According to the most recent statement from the FFIEC on managing cloud vendors, because of the increased legal and regulatory risks, “managing a cloud computing service provider may require additional controls if the servicer is unfamiliar with the financial industry." It is critical then, to choose a vendor with expertise and experience in the industry.

7. If so, are they willing and able to make changes to their service offerings necessitated by those requirements?

Even if the vendor demonstrates adequate familiarity with the financial industry, they must be willing to make the necessary changes in their services if and when regulations change. Unless financial companies make up the majority of the vendor’s clientele, they may not be willing, and “under such circumstances, management may determine that the institution cannot employ the servicer.”

Tom Hinkel is the Director of Compliance for Safe Systems, an IT-support provider for financial institutions focused on compliance.