United States: Federal Financial Agencies Issue Cautionary Statement On Financial Institution Cloud Computing Services
Last Updated: July 12 2012
Article by Charles M. Horn

On July 11, 2012, the federal financial regulatory agencies ("Agencies"),1 through the Federal Financial Institutions Examination Council ("FFIEC"), issued a joint interagency statement ("Statement") on the use by financial institutions of outsourced cloud computing services, and the key risks associated with such services.2 The Statement, the substance of which is also being incorporated into the FFIEC's Information Technology Examination Handbook ("IT Handbook"),3 is the first formal federal financial agency statement on the matter of cloud computing, a subject that has garnered substantial attention in the financial services industry but that, to date, has not been formally addressed by the federal financial regulators. In general, the Statement reaffirms that the fundamentals of existing risk and risk management requirements that currently are applicable to financial institution outsourcing of IT services apply equally to outsourced cloud-based services, while identifying certain risks that, in the Agencies' view, are of particular concern with respect to such services.

Cloud Computing – An Overview

Cloud computing is an IT delivery model where IT services are provided to users from remote servers and facilities over the Internet rather than through owned or leased IT servers and platforms. The cloud technology offers important benefits to users, including the chance for significant cost savings and operational efficiencies; flexibility in deployment; ready access to information systems, applications, and data; better backup services; and faster and more responsive upgrade functionalities. Through cloud computing services, users have the ability to outsource all or part of their IT hardware architecture (infrastructure as a service, or IaaS), operating systems and platforms (platform as a service, or PaaS), or software applications (software as a service, or SaaS) as they choose. "Clouds" can be private, where the services are operated solely for one organization (or a small group of organizations, which some refer to as "community" clouds), typically on a dedicated or partitioned platform; public, where the services are shared by numerous customers, and typically operated on a shared platform; or hybrid, which entails a combination of private and public cloud services.

Potential hosts such as major IT service providers see very significant business opportunities in cloud computing, and as a result, the interest in, and demand for, cloud computing services has increased dramatically over the past several years.4 At the same time, financial institutions have increasingly recognized the potential technological, legal and regulatory challenges, including information security, data integrity and privacy, and business continuity issues, associated with their use of remote IT services for core operations and storage of critical and sensitive data. In turn, these challenges have caused financial institutions, especially those in the United States, to move cautiously toward cloud-based solutions.

The Statement

Up until now, specific financial regulatory guidance on financial institutions' use of cloud-based IT services has been almost nonexistent. As a result, financial institutions have effectively had to "interpolate" general regulatory guidance on IT outsourcing5 in their evaluation and use of cloud-based IT services. Therefore, the Agencies' Statement is a useful start in filling in the regulatory gaps on this topic, although the Statement's guidance is relatively short on specifics and may not tell financial institutions a great deal that they did not already know about their IT outsourcing responsibilities in the cloud context.

In substance, the Statement affirms that outsourced cloud computing services are subject to the same basic risk identification and risk management principles and requirements that exist in the existing regulatory guidance.6 The Statement goes on to say, however, that the nature of cloud computing services may require "more robust" controls.

And what are those controls? The Statement identifies six areas where financial institution risk management efforts relating to outsourced cloud IT services need to be particularly vigilant: (i) due diligence of cloud IT vendors; (ii) management of cloud IT vendors; (iii) vendor audit responsibilities; (iv) information security; (v) legal, regulatory, and reputational risks; and (vi) business continuity planning. Those financial institutions familiar with the Agencies' existing IT guidance on outsourcing in general will find nothing new in these broad areas, but the Statement does go on to highlight specific issues within these six areas that arise in the cloud IT environment.

Due Diligence: The Agencies expect financial institutions, through a due diligence review, to ensure that cloud IT service providers can meet the financial institution's requirements for cost, quality of service, compliance with regulatory requirements, and risk management. The Statement identifies the following specific areas that financial institutions should take into account, and review and evaluate, during the due diligence process:

  • Data classification: the sensitivity of data that will be placed in the cloud and the controls that will be needed to ensure it is properly protected (e.g., encryption of non-public personal information and other data whose disclosure could harm the institution or its customers).
  • Data segregation: whether the financial institution's data will share resources with data of other cloud clients, and the controls that service providers will have in place to ensure the integrity and confidentiality of the financial institution's data.
  • Recoverability: the financial institution's and IT service provider's disaster recovery and business continuity plans.

Vendor Management: The Statement generally cautions financial institutions to ensure that their cloud computing service providers are familiar with the financial industry, and the legal and regulatory requirements for safeguarding financial customer information and other sensitive data, and are able to address applicable regulatory requirements. Financial institutions, especially smaller ones, are also cautioned that cloud IT contracts and service level agreements must be "specific as to the ownership, location(s) and format(s) of data, and dispute resolution."

Audit: The Statement cautions financial institutions that they may need to adjust their audit policies and practices to provide acceptable IT audit coverage of outsourced cloud computing, and augment their internal audit staffs' resources with additional training as well as having personnel with sufficient expertise in evaluating shared environments and virtualized technologies.

Information Security: The Statement advises financial institutions that they may need to revise their information security policies, standards, and practices to incorporate the activities related to a cloud computing service provider, which may include "continuous monitoring" in high-risk situations. Financial institutions are also expected to maintain a "comprehensive data inventory and a suitable data classification process" and limit access to customer data through effective identity and access management, particularly in the case of multi-tenant cloud environments. The Statement also cautions financial institutions on the identification and management of data in the cloud, saying they should ensure effective monitoring of, responses to and investigations (including forensic strategies) of "security-related threats, incidents, and events" on both their own and their servicer providers' networks. The Statement specifically refers to the necessity to use caution in storing data in overseas locations, which may require financial institutions to place contractual restrictions on the locations at which providers may store data. In addition, the Statement advises financial institutions that it would be "prudent" to ensure that a cloud IT service provider is obligated, and has procedures in place, to remove all non-public personal information from its infrastructure at the conclusion of the servicing relationship.

Legal, Regulatory, and Reputational Considerations: The Statement warns financial institutions that they should clearly identify and mitigate applicable legal, regulatory, and reputational risks, given the complexity of compliance with applicable laws and regulations in a cloud environment where customer data may be stored or processed at remote locations, including overseas. Financial institutions are expected to understand the applicability of laws and regulations within the hosting jurisdictions and the financial institutions' ability to control access to their data. Contracts with cloud IT service providers should address the parties' obligations with respect to compliance with privacy laws, responding to and reporting security incidents, and fulfilling regulatory requirements to notify customers and regulators of any breaches.

Business Continuity Planning. Finally, the Statement cautions financial institutions to determine whether a cloud IT service provider and the network carriers have adequate plans and resources to ensure a financial institution's continuity of operations, as well as its ability to recover and resume operations if an unexpected disruption occurs.

Some Observations

The Agencies' Statement, like the existing FFIEC guidance on IT outsourcing activities in general, is principles-based and short on specific requirements for risk management and compliance strategies, policies, and procedures.7 Therefore, financial institutions will not find a great deal in the Statement that will materially aid them in meeting their supervisory obligations with respect to the procurement and use of cloud computing services from third parties, although the Statement might serve as a type of checklist of substantive issues that must be addressed. Part of the difficulty with the application of these agency guidelines to specific cloud IT applications is that the nature and depth of the risk management issues, and the solutions to those issues, will vary significantly according to the type of cloud platform being used (public, private, hybrid), the nature of the applications being acquired (IaaS, PaaS or SaaS), and the nature and sensitivity of the information being placed "in the cloud."

What is perhaps more significant about the Statement is that it reflects a discrete level of regulatory concern over the risks specifically associated with cloud IT environments, particularly in areas such as vendor management, information security, data integrity and business continuity planning. These specific concerns may be less relevant – but not totally irrelevant – to financial institutions that employ private cloud networks, but any financial institution that proposes to use any type of shared cloud solution will need to be fully attentive to these regulatory worries. At a minimum, this would require the development and implementation of documented programs, policies and procedures to support a financial institution's selection and implementation of a particular cloud application, and demonstrate that the risks identified in the Statement have been specifically considered and addressed.

In addition, cloud IT vendors are effectively being told by the Agencies that they must "play ball" with their financial institution clients by addressing to the Agencies' satisfaction the particular legal, regulatory, and supervisory obligations of regulated financial institutions with respect to their IT procurement activities. Current experience, however, suggests that many public and hybrid cloud system service providers have not reached the point of fully accommodating the particular business and regulatory obligations of highly regulated financial institutions. In many such relationships, vendor terms and conditions are generally tilted in favor of the vendor on core matters (including service levels, business continuity responsibilities, rights of termination without cause, remedies for damages, and limitations on indemnifications). These vendors have typically been reluctant to negotiate away from these terms because their business models have depended on a "one size fits all" approach. However, given the Agencies' increased scrutiny over financial institutions' use of cloud-based solutions, IT services providers in the cloud environment that are disinclined to respond to financial regulatory concerns in areas such as audit, data protection and business continuity may in the future be left "outside the gates" of the financial institution community.

In sum, the Statement adds little of substance to the task of addressing and resolving the known technology, operational, legal, and regulatory issues associated with cloud technology.8 At the same time, the Statement serves as a cautionary note that the Agencies will be attentive to whether their regulated financial institution constituents properly address and resolve these issues before they enter into a third-party cloud IT relationship.

Footnotes

1 Federal Reserve Board, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and the State Liaison Committee.

2 FFIEC, Information Technology Subcommittee, Statement on Outsourced Cloud Computing (July 10, 2012).

3 See, IT Handbook, Outsourcing Technology Services, Appendix A, "Examination Procedures" and Appendix D, "Managed Security Service Providers."

4 IT industry surveys point to the likelihood of a continuing significant migration away from "hard" IT platforms towards Internet-based services as a solution for hardware, infrastructure, and software needs alike. See, Pew Research Center, The Future of Cloud Computing (June 2010), available at http://pewinternet.org/Reports/2010/The-future-of-cloud-computing.aspx.

5 IT Handbook, Outsourcing Technology Services, n.3 supra.

6 "The fundamentals of risk and risk management defined in the IT Handbook apply to cloud computing as they do to other forms of outsourcing." Statement, at 4.

7 Financial institutions may find more useful information in the IT Handbook sections that have been modified to address cloud computing issues, in particular Appendix A and Appendix D to the IT Outsourcing Handbook.

8 In prior publications on cloud computing activities, we have highlighted several major issues that are particularly associated with cloud computing activities, including privacy, data security/integrity, TSP negotiation issues, and how users of cloud services may need to approach these concerns. See, Morrison & Foerster LLP, Privacy in the Cloud: A Legal Framework for Moving Personal Data to the Cloud (Feb. 14, 2011); Cloud Computing and Outsourcing: Is Data Lost in the Fog? (June 15, 2009); MoFoTech Magazine (Supplement), Get Your Head in the Cloud (2010).

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

More Popular Related Articles on Corporate/Commercial Law from USA
Last month, the National Association of Corporate Directors took a stab at identifying ground rules in its "Directors’ Guide" to corporate board and committee minutes.
Hardly a day goes by without hearing horrible stories of a person having their identity stolen and their finances ruined as a result.
Doing business in New York can be performed through a number of legal structures ranging from sole proprietorships to corporations.  This advisory provides basic information on the different legal forms and the services that can be offered by Murray LLP for your business.
The SEC has recently announced that it entered into a Non-Prosecution Agreement with Ralph Lauren Corp. in connection with alleged violations of the Foreign Corrupt Practices Act.
The time has come to take out and refresh those business associate agreements, HIPAA privacy and security compliance manuals, and HIPAA privacy notices.
A guide to assist parties to avoid critical, but commonly overlooked, areas of liability in sale of goods transactions.
Only the owner of a trademark has standing to enforce rights under that trademark (limited exceptions exist, such as for exclusive licensees).
Provisions of the JOBS Act and two recent no-action letters for venture capital advisors initially provide a glimmer of hope.
 
In association with
Recently viewed items tracks each article you read and gives you a quick link back to that article if you need to review it again.
To activate recently viewed, you just need to login or register with us above.
Related Video
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
Free News Alert
 
News Alert|Login|Register
Register for Access and our Free Biweekly Alert
Close Me
Email Address
Company Name
Password
Confirm Password
Mondaq Topics -- Select your Interests
Accounting and Audit
Anti-trust/Competition Law
Consumer Protection
Corporate/Commercial Law
Criminal Law
Employment and HR
Energy and Natural Resources
Environment
Family and Matrimonial
Finance and Banking
Food, Drugs, Healthcare, Life Sciences
Government, Public Sector
Immigration
Insolvency/Bankruptcy, Re-structuring
Insurance
Intellectual Property
International Law
Litigation, Mediation & Arbitration
Media, Telecoms, IT, Entertainment
Privacy
Real Estate and Construction
Strategy
Tax
Transport
Wealth Management
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.