Featured Product

    FFIEC Issues Statement on Risk Management for Cloud Computing Services

    April 30, 2020

    FFIEC, on behalf of its members, issued a statement to address the use of cloud computing services and security risk management principles in the financial services sector. The statement highlights examples of risk management practices for a financial institution’s safe and sound use of cloud computing services and safeguards to protect the sensitive information of consumers. The statement also provides a list of government and industry resources and references to assist financial institutions using cloud computing services.

    The statement does not contain new regulatory expectations, though it highlights that management should not assume that effective security and resilience controls exist simply because the technology systems are operating in a cloud computing environment. The statement identifies the responsibilities financial institutions would have when contracting with cloud computing providers. Examples of relevant risk management practices for assessing risks related to and implementing controls for cloud computing services include the following:

    • The financial institution’s plans for the use of cloud computing services should align with its overall IT strategy, architecture, and risk appetite. This includes determining the appropriate level of governance, the types of systems and information assets considered for cloud computing environments, the impact on the financial institution’s architecture and operations model, and management’s comfort with its dependence on and its ability to monitor the cloud service provider.
    • Appropriate due diligence and ongoing oversight and monitoring of cloud service providers’ security is required. As with all other third-party relationships, security-related risks should be identified during planning, due diligence, and the selection of the cloud service provider.
    • Contracts between a financial institution and cloud service provider should be drafted to clearly define which party has responsibilities for configuration and management of system access rights, configuration capabilities, and deployment of services and information assets to a cloud computing environment, among other things.
    • An effective inventory process for the use of cloud computing environments is an essential component for secure configuration management, vulnerability management, and monitoring of controls.
    • Common practices for identity and access management for resources using cloud computing infrastructures include limiting account privileges, implementing multi-factor authentication, frequently updating and reviewing account access, monitoring activity, and requiring privileged users to have separate usernames and passwords for each segment of the cloud service provider’s and financial institution’s networks.
    • Operations moved to cloud computing environments should have resilience and recovery capabilities commensurate with the risk of the service or operation for the financial institution. Management should review and assess the resilience capabilities and service options available from the cloud service provider. 

    The risk management considerations outlined in the statement provide a summary of key controls that management may consider as part of assessing and implementing cloud computing services. However, specific risk management and controls will be dependent on the nature of the outsourced services and the specifics of the cloud implementation. Additional information on general third-party risk management and outsourcing practices is available in the FFIEC Information Technology Examination Handbook’s “Outsourcing Technology Services” booklet and other documents published by the FFIEC members.

     

    Related Links

    Keywords: Americas, US, Banking, Cloud Computing, Risk Management, Governance, Cyber Risk, FFIEC

    Related Articles
    News

    EBA Analyzes Impact of Unwind Mechanism of Liquidity Coverage Ratio

    EBA published a report analyzing the impact of the unwind mechanism of the liquidity coverage ratio (LCR) for a sample of European banks over a three-year period, from the end of 2016 to the first quarter of 2020.

    November 19, 2020 WebPage Regulatory News
    News

    ECB Outlines Views on Possible Changes to AnaCredit Rule and TLTROs

    In response to questions from a member of the European Parliament, the ECB President Christine Lagarde issued a letter clarifying the possibility of amending the AnaCredit Regulation and making targeted longer-term refinancing operations (TLTROs) dependent on the climate-related impact of bank loans.

    November 19, 2020 WebPage Regulatory News
    News

    IASB Begins First Phase of Post-Implementation Review of IFRS 9

    IASB started the post-implementation review of the classification and measurement requirements in IFRS 9 on financial instruments and added the review as a project to its work plan.

    November 18, 2020 WebPage Regulatory News
    News

    FSB Report Examines Progress in Resolvability of Systemic Institutions

    FSB published a report that examines progress in implementing policy measures to enhance the resolvability of systemically important financial institutions.

    November 18, 2020 WebPage Regulatory News
    News

    EBA Benchmarks National Insolvency Frameworks Across EU

    EBA published a report on the benchmarking of national loan enforcement frameworks across 27 EU member states, in response to the call for advice from EC.

    November 18, 2020 WebPage Regulatory News
    News

    FSB Reports Assess Impact of Pandemic on Financial Stability

    FSB published a letter from its Chair Randal K. Quarles, along with two reports exploring various aspects of the market turmoil resulting from the COVID-19 event.

    November 17, 2020 WebPage Regulatory News
    News

    RBNZ Consults on Implementation of Capital Review Changes

    RBNZ launched a consultation on the details for implementing the final Capital Review decisions announced in December 2019.

    November 17, 2020 WebPage Regulatory News
    News

    IASB Announces Andreas Barckow as the New Chair from July 2021

    The Trustees of the IFRS Foundation, which are responsible for the governance and oversight of IASB, have announced the appointment of Dr. Andreas Barckow as the IASB Chair, effective July 2021.

    November 17, 2020 WebPage Regulatory News
    News

    HKMA Consults on Capital Rules for Bank Equity Investments in Funds

    HKMA issued a letter to consult the banking industry on a full set of proposed draft amendments to the Banking (Capital) Rules for implementing the Basel standard on capital requirements for banks’ equity investments in funds in Hong Kong.

    November 17, 2020 WebPage Regulatory News
    News

    ESRB Supports Extension of Macro-Prudential Measure by Swedish FSA

    ESRB published an opinion assessing the decision of Swedish Financial Supervisory Authority (FSA) to extend the application period of a stricter measure for residential mortgage lending, in accordance with Article 458 of the Capital Requirements Regulation (CRR).

    November 17, 2020 WebPage Regulatory News
    RESULTS 1 - 10 OF 6153