Featured Product

    FFIEC Issues Statement on Risk Management for Cloud Computing Services

    April 30, 2020

    FFIEC, on behalf of its members, issued a statement to address the use of cloud computing services and security risk management principles in the financial services sector. The statement highlights examples of risk management practices for a financial institution’s safe and sound use of cloud computing services and safeguards to protect the sensitive information of consumers. The statement also provides a list of government and industry resources and references to assist financial institutions using cloud computing services.

    The statement does not contain new regulatory expectations, though it highlights that management should not assume that effective security and resilience controls exist simply because the technology systems are operating in a cloud computing environment. The statement identifies the responsibilities financial institutions would have when contracting with cloud computing providers. Examples of relevant risk management practices for assessing risks related to and implementing controls for cloud computing services include the following:

    • The financial institution’s plans for the use of cloud computing services should align with its overall IT strategy, architecture, and risk appetite. This includes determining the appropriate level of governance, the types of systems and information assets considered for cloud computing environments, the impact on the financial institution’s architecture and operations model, and management’s comfort with its dependence on and its ability to monitor the cloud service provider.
    • Appropriate due diligence and ongoing oversight and monitoring of cloud service providers’ security is required. As with all other third-party relationships, security-related risks should be identified during planning, due diligence, and the selection of the cloud service provider.
    • Contracts between a financial institution and cloud service provider should be drafted to clearly define which party has responsibilities for configuration and management of system access rights, configuration capabilities, and deployment of services and information assets to a cloud computing environment, among other things.
    • An effective inventory process for the use of cloud computing environments is an essential component for secure configuration management, vulnerability management, and monitoring of controls.
    • Common practices for identity and access management for resources using cloud computing infrastructures include limiting account privileges, implementing multi-factor authentication, frequently updating and reviewing account access, monitoring activity, and requiring privileged users to have separate usernames and passwords for each segment of the cloud service provider’s and financial institution’s networks.
    • Operations moved to cloud computing environments should have resilience and recovery capabilities commensurate with the risk of the service or operation for the financial institution. Management should review and assess the resilience capabilities and service options available from the cloud service provider. 

    The risk management considerations outlined in the statement provide a summary of key controls that management may consider as part of assessing and implementing cloud computing services. However, specific risk management and controls will be dependent on the nature of the outsourced services and the specifics of the cloud implementation. Additional information on general third-party risk management and outsourcing practices is available in the FFIEC Information Technology Examination Handbook’s “Outsourcing Technology Services” booklet and other documents published by the FFIEC members.

     

    Related Links

    Keywords: Americas, US, Banking, Cloud Computing, Risk Management, Governance, Cyber Risk, FFIEC

    Related Articles
    News

    EU Amends CRD4 and CRD5 as Part of Capital Markets Recovery Package

    EU published Directive 2021/338, which amends the Markets in Financial Instruments Directive (MiFID) II and the Capital Requirements Directives (CRD 4 and 5) to facilitate recovery from the COVID-19 crisis.

    February 26, 2021 WebPage Regulatory News
    News

    EU Committee Recommends Systemic Risk Buffer of 4.5% in Norway

    The Standing Committee of the European Free Trade Association (EFTA) recommended that a systemic risk buffer level of 4.5% for domestic exposures can be considered appropriate for addressing the identified systemic risks to the stability of the financial system in Norway.

    February 25, 2021 WebPage Regulatory News
    News

    PRA Clarifies Approach to Onshoring of Credit Risk Rules for UK Banks

    In a recent statement, PRA clarified its approach to the application of certain EU regulatory technical standards and EBA guidelines on standardized and internal ratings-based approaches to credit risk, following the end of the Brexit transition.

    February 25, 2021 WebPage Regulatory News
    News

    FSB Sets Out Work Priorities for 2021

    In a recently published letter addressed to the G20 finance ministers and central bank governors, the FSB Chair Randal K. Quarles has set out the key FSB priorities for 2021.

    February 25, 2021 WebPage Regulatory News
    News

    EU Publishes Corrigendum to Revised Capital Requirements Regulation

    EU published, in the Official Journal of the European Union, a corrigendum to the revised Capital Requirements Regulation (CRR2 or Regulation 2019/876).

    February 25, 2021 WebPage Regulatory News
    News

    ESAs Issue Statement on Application of Sustainability Disclosures Rule

    ESAs published a joint supervisory statement on the effective and consistent application and on national supervision of the regulation on sustainability-related disclosures in the financial services sector (SFDR).

    February 25, 2021 WebPage Regulatory News
    News

    EC Consults on Crisis Management and Deposit Insurance Frameworks

    EC published a public consultation on the review of crisis management and deposit insurance frameworks in EU.

    February 25, 2021 WebPage Regulatory News
    News

    HKMA Enhances Loan Guarantee Scheme to Alleviate Pressure on SMEs

    HKMA announced that enhancements will be made to the Special 100% Loan Guarantee of the SME Financing Guarantee Scheme (SFGS) and the application period will be extended to December 31, 2021.

    February 24, 2021 WebPage Regulatory News
    News

    EBA Proposes Standards for Supervisory Cooperation Under IFD

    EBA launched consultations on the regulatory and implementing technical standards on cooperation and information exchange between competent authorities involved in prudential supervision of investment firms.

    February 24, 2021 WebPage Regulatory News
    News

    BoE Addresses Banks in Scope of First Resolvability Assessment

    BoE issued a letter to the CEOs of eight major UK banks that are in scope of the first Resolvability Assessment Framework (RAF) reporting and disclosure cycle.

    February 24, 2021 WebPage Regulatory News
    RESULTS 1 - 10 OF 6629