FFIEC Warns Credit Unions About Cloud Computing
July 12, 2012
July 12, 2012
According to a recently released statement, the Federal Financial Institutions Examination Council (FFIEC) believes credit unions should do a thorough risk assessment, addressing legal, regulatory, and reputational risks, before deciding to use cloud computing for data storage and other computing purposes.
Cloud computing is the term used when data are not held together in a credit union-owned or leased server. Instead, data are shared among different servers and locations.
The FFIEC noted that cloud computing is another form of outsourcing. It has the same basic risk characteristics and risk-management requirements as traditional forms of outsourcing. It also provides many of the same or similar benefits. Outsourcing to cloud computing providers can increase flexibility and speed while decreasing costs of data use and storage.
According to the statement, before committing to any cloud computing firm, credit unions should assess the strength of the firm’s internal controls and examine their own data security. Cloud storage could increase the frequency and complexity of security incidents, the FFIEC noted. Credit unions and their vendor must effectively monitor their systems for security-related threats and be sure to have appropriate forensic strategies for investigation and evidence collection in the event of a security breach.
Another area of concern is related to where in the world the data is stored or processed. Overseas data storage can make it more difficult for financial institutions to assess compliance. Also, due diligence may be more complex and difficult in an environment where the cloud computing service provider processes and stores data overseas, the FFIEC warned.
Questions? Contact the Compliance Hotline: 1.800.546.4465, firstname.lastname@example.org.