Featured Product

    FFIEC Issues Statement on Risk Management for Cloud Computing Services

    April 30, 2020

    FFIEC, on behalf of its members, issued a statement to address the use of cloud computing services and security risk management principles in the financial services sector. The statement highlights examples of risk management practices for a financial institution’s safe and sound use of cloud computing services and safeguards to protect the sensitive information of consumers. The statement also provides a list of government and industry resources and references to assist financial institutions using cloud computing services.

    The statement does not contain new regulatory expectations, though it highlights that management should not assume that effective security and resilience controls exist simply because the technology systems are operating in a cloud computing environment. The statement identifies the responsibilities financial institutions would have when contracting with cloud computing providers. Examples of relevant risk management practices for assessing risks related to and implementing controls for cloud computing services include the following:

    • The financial institution’s plans for the use of cloud computing services should align with its overall IT strategy, architecture, and risk appetite. This includes determining the appropriate level of governance, the types of systems and information assets considered for cloud computing environments, the impact on the financial institution’s architecture and operations model, and management’s comfort with its dependence on and its ability to monitor the cloud service provider.
    • Appropriate due diligence and ongoing oversight and monitoring of cloud service providers’ security is required. As with all other third-party relationships, security-related risks should be identified during planning, due diligence, and the selection of the cloud service provider.
    • Contracts between a financial institution and cloud service provider should be drafted to clearly define which party has responsibilities for configuration and management of system access rights, configuration capabilities, and deployment of services and information assets to a cloud computing environment, among other things.
    • An effective inventory process for the use of cloud computing environments is an essential component for secure configuration management, vulnerability management, and monitoring of controls.
    • Common practices for identity and access management for resources using cloud computing infrastructures include limiting account privileges, implementing multi-factor authentication, frequently updating and reviewing account access, monitoring activity, and requiring privileged users to have separate usernames and passwords for each segment of the cloud service provider’s and financial institution’s networks.
    • Operations moved to cloud computing environments should have resilience and recovery capabilities commensurate with the risk of the service or operation for the financial institution. Management should review and assess the resilience capabilities and service options available from the cloud service provider. 

    The risk management considerations outlined in the statement provide a summary of key controls that management may consider as part of assessing and implementing cloud computing services. However, specific risk management and controls will be dependent on the nature of the outsourced services and the specifics of the cloud implementation. Additional information on general third-party risk management and outsourcing practices is available in the FFIEC Information Technology Examination Handbook’s “Outsourcing Technology Services” booklet and other documents published by the FFIEC members.

     

    Related Links

    Keywords: Americas, US, Banking, Cloud Computing, Risk Management, Governance, Cyber Risk, FFIEC

    Related Articles
    News

    UK Government to Set Out Rules on Wind-down of Critical Benchmarks

    HM Treasury notified that, after considering all responses, the government intends to bring forward further legislation, when the Parliamentary time allows, to address issues identified in the consultation on supporting the wind-down of critical benchmarks.

    May 07, 2021 WebPage Regulatory News
    News

    EIOPA Launches Stress Test for Insurance Sector in EU

    EIOPA launched the 2021 stress test for the insurance sector in EU.

    May 07, 2021 WebPage Regulatory News
    News

    UK Authorities Publish Third Edition of Regulatory Initiatives Grid

    UK authorities jointly published the third edition of Regulatory Initiatives Grid setting out the planned regulatory initiatives for the next 24 months.

    May 07, 2021 WebPage Regulatory News
    News

    EC Consults on Regulation on Non-Financial Sustainability Disclosures

    EC is requesting feedback on the proposed Commission Delegated Regulation on the content, methodology, and presentation of information that large financial and non-financial undertakings should disclose about their environmentally sustainable economic activities under the Taxonomy Regulation.

    May 07, 2021 WebPage Regulatory News
    News

    OSFI Outlines Prudential Policy Priorities for Coming Months

    OSFI has set out the near-term priorities for federally regulated financial institutions and federally regulated private pension plans for the coming months until March 31, 2022.

    May 06, 2021 WebPage Regulatory News
    News

    BIS Announces TechSprint on Innovative Green Finance Solutions

    Under the Italian G20 Presidency, BIS Innovation Hub and the Italian central bank BDI launched the second edition of the G20 TechSprint on the lookout for innovative solutions to resolve operational problems in green and sustainable finance.

    May 06, 2021 WebPage Regulatory News
    News

    ACPR Publishes Version 1.0.0 of RUBA Taxonomy

    ACPR published Version 1.0.0 of the RUBA taxonomy, which will come into force from the decree of January 31, 2022.

    May 06, 2021 WebPage Regulatory News
    News

    EBA Proposed Regulatory Standards for Central Database on AML/CFT

    EBA proposed the regulatory technical standards on a central database on anti-money laundering and countering the financing of terrorism (AML/CFT) in EU.

    May 06, 2021 WebPage Regulatory News
    News

    ECB Responds to EC Consultation on Crisis Management Framework

    ECB published its response to the targeted EC consultation on the review of the bank crisis management and deposit insurance framework in EU.

    May 06, 2021 WebPage Regulatory News
    News

    BCBS, CPMI, and IOSCO to Survey Market Participants on Margin Calls

    BCBS, CPMI, and IOSCO (the Committees) are inviting entities that participate in market infrastructures and securities markets through an intermediary as well as non-bank intermediaries to complete voluntary surveys on the use of margin calls.

    May 05, 2021 WebPage Regulatory News
    RESULTS 1 - 10 OF 6942