On April 30, the Federal Financial Institutions Examination Council (FFIEC) issued a statement addressing the financial services sector’s use of cloud computing. In the statement, the FFIEC does not identify any new regulatory expectations, but it does offer valuable examples of risk reduction practices. The subtext of the statement’s timing reiterates the need for the financial industry to exercise constant vigilance in the face of an increasing number of data breaches and threats to cybersecurity, particularly as more work is moved online during the COVID-19 pandemic.
The FFIEC’s statement stresses the importance of financial institutions’ management having a clear grasp on the division of responsibilities between the institution and the cloud service provider (CSP) with which it chooses to do business. Without management’s understanding and buy-in, the risk of operational failures and/or security breaches increases.
Due Diligence is Key
Any financial institution’s data security approach should be defined by due diligence in:
- Vendor selection
- Contract drafting
- Continued oversight
Time to Evaluate Risk Management Best Practices
The statement invites financial institutions to evaluate (or re-evaluate) several key items, including:
- The CSP’s incident response obligations
- The financial institution’s ability to pre-approve any subcontractors the CSP wishes to use
- Data ownership between the financial institution and the CSP
- Expectations for the return of data from the CSP to the financial institution at the contract’s termination
- Jurisdictional restrictions on data housing and transfers
- Right to audit the CSP and conduct vulnerability assessments
- Encryption key management
- Employee training, among others
Our Privacy, Cybersecurity and Data Management Team will continue to share the latest developments impacting the financial institutions sector and provide insights as we continue to monitor the ever-changing, ever-shifting legal landscape on these issues.