Featured Product

    FFIEC Issues Statement on Risk Management for Cloud Computing Services

    April 30, 2020

    FFIEC, on behalf of its members, issued a statement to address the use of cloud computing services and security risk management principles in the financial services sector. The statement highlights examples of risk management practices for a financial institution’s safe and sound use of cloud computing services and safeguards to protect the sensitive information of consumers. The statement also provides a list of government and industry resources and references to assist financial institutions using cloud computing services.

    The statement does not contain new regulatory expectations, though it highlights that management should not assume that effective security and resilience controls exist simply because the technology systems are operating in a cloud computing environment. The statement identifies the responsibilities financial institutions would have when contracting with cloud computing providers. Examples of relevant risk management practices for assessing risks related to and implementing controls for cloud computing services include the following:

    • The financial institution’s plans for the use of cloud computing services should align with its overall IT strategy, architecture, and risk appetite. This includes determining the appropriate level of governance, the types of systems and information assets considered for cloud computing environments, the impact on the financial institution’s architecture and operations model, and management’s comfort with its dependence on and its ability to monitor the cloud service provider.
    • Appropriate due diligence and ongoing oversight and monitoring of cloud service providers’ security is required. As with all other third-party relationships, security-related risks should be identified during planning, due diligence, and the selection of the cloud service provider.
    • Contracts between a financial institution and cloud service provider should be drafted to clearly define which party has responsibilities for configuration and management of system access rights, configuration capabilities, and deployment of services and information assets to a cloud computing environment, among other things.
    • An effective inventory process for the use of cloud computing environments is an essential component for secure configuration management, vulnerability management, and monitoring of controls.
    • Common practices for identity and access management for resources using cloud computing infrastructures include limiting account privileges, implementing multi-factor authentication, frequently updating and reviewing account access, monitoring activity, and requiring privileged users to have separate usernames and passwords for each segment of the cloud service provider’s and financial institution’s networks.
    • Operations moved to cloud computing environments should have resilience and recovery capabilities commensurate with the risk of the service or operation for the financial institution. Management should review and assess the resilience capabilities and service options available from the cloud service provider. 

    The risk management considerations outlined in the statement provide a summary of key controls that management may consider as part of assessing and implementing cloud computing services. However, specific risk management and controls will be dependent on the nature of the outsourced services and the specifics of the cloud implementation. Additional information on general third-party risk management and outsourcing practices is available in the FFIEC Information Technology Examination Handbook’s “Outsourcing Technology Services” booklet and other documents published by the FFIEC members.

     

    Related Links

    Keywords: Americas, US, Banking, Cloud Computing, Risk Management, Governance, Cyber Risk, FFIEC

    Related Articles
    News

    EU Agencies Update LCR Rule and Macro-Prudential Policy Recommendation

    The European Commission (EC) published the Delegated Regulation 2022/786 with regard to the liquidity coverage requirements for credit institutions under the Capital Requirements Regulation (CRR).

    May 23, 2022 WebPage Regulatory News
    News

    EBA Publishes Regulatory Standards to Identify Shadow Banking Entities

    The European Banking Authority (EBA) published the final draft regulatory technical standards specifying the criteria to identify shadow banking entities for the purposes of reporting large exposures.

    May 23, 2022 WebPage Regulatory News
    News

    EIOPA Examines Physical Climate Risk Exposure, SII Non-Compliance

    The European Insurance and Occupational Pensions Authority (EIOPA) published a report assessing insurers' exposure to physical climate change risks

    May 20, 2022 WebPage Regulatory News
    News

    EC Publishes Results on Review of Web Accessibility Directive

    The European Commission (EC) published the results of a public consultation, held in October 2021, on the review of the Web Accessibility Directive.

    May 19, 2022 WebPage Regulatory News
    News

    NGFS Report Explores Quantification of Climate Risk Differentials

    The Network for Greening the Financial System (NGFS) published two reports to aid central banks and regulators in their oversight of the financial sector and in their central bank operations

    May 19, 2022 WebPage Regulatory News
    News

    MAS Consults on Adjustment Spreads for Conversion of SOR Contracts

    The Monetary Authority of Singapore (MAS) and the SC-STS are jointly consulting, until June 10, 2022, on setting adjustment spreads for the conversion of legacy SOR contracts to SORA reference rate.

    May 18, 2022 WebPage Regulatory News
    News

    OSFI Discusses Benchmark Rate Transition, Sets Out Work Priorities

    The Office of the Superintendent of Financial Institutions (OSFI) published the strategic plan for 2022-2025 and the departmental plan for 2022-23.

    May 17, 2022 WebPage Regulatory News
    News

    EBA Proposes Standards to Support Secondary NPL Markets

    The European Banking Authority (EBA) is consulting, until August 31, 2022, on the draft implementing technical standards specifying requirements for the information that sellers of non-performing loans (NPLs) shall provide to prospective buyers.

    May 17, 2022 WebPage Regulatory News
    News

    EU Confirms Agreement on Rules on Cybersecurity and Banking Resolution

    The European Council and the Parliament reached an agreement on the revised Directive on security of network and information systems (NIS2 Directive).

    May 13, 2022 WebPage Regulatory News
    News

    EBA Issues Standards for Crowdfunding Service Providers Under ECSPR

    The European Banking Authority (EBA) published the final draft regulatory technical standards specifying information that crowdfunding service providers shall provide to investors on the calculation of credit scores and prices of crowdfunding offers.

    May 13, 2022 WebPage Regulatory News
    RESULTS 1 - 10 OF 8206