Regulators in Canada and the United States have issued guidance regarding the use of cloud computing by financial institutions. The guidance recognizes the significant opportunities and benefits of cloud computing, but cautions financial institutions to carefully consider the risks presented by cloud computing and make prudent risk management decisions. All organizations contemplating the use of cloud computing can benefit from the regulatory guidance.
Cloud computing is a business, technology and service model that treats information technology (“IT”) resources (including networks, servers, data storage and software applications) and related services (including hardware and software maintenance and technical support) as a utility or consumption-based service. Cloud computing enables an organization to outsource its IT requirements to a specialist service provider who can provide required services in a better and more efficient and cost effective manner. Cloud computing allows an organization to focus on its core competence and leave the IT stuff to the experts. For those reasons, cloud computing can provide significant benefits, but cloud computing can also present substantial risks.
Office of the Superintendent of Financial Institutions Canada
In February 2012, the Office of the Superintendent of Financial Institutions Canada (OSFI) issued a memorandum reminding federally regulated financial institutions that cloud computing is a form of outsourcing and is subject to OSFI’s March 2009 Guideline B-10 – Outsourcing of Business Activities, Functions and Processes. Guideline B-10 provides detailed guidance for the management of risks associated with material outsourcing arrangements, including the issues to be addressed in contracts for outsourced services. OSFI’s Memorandum cautions financial institutions to recognize the unique features of cloud computing and duly consider the associated risks, particularly regarding: (1) confidentiality, security and separation of property/data; (2) contingency planning; (3) location of records; (4) access and audit rights; (5) subcontracting; and (6) monitoring. OSFI’s Memorandum reminds financial institutions that prudent business management includes management of outsourcing risks.
U.S. Federal Financial Institutions Examination Council
In July 2012, the U.S. Federal Financial Institutions Examination Council (FFIEC), an inter-agency council of federal financial regulators, issued a Statement on Outsourcing Cloud Computing to remind American financial institutions that cloud computing is a form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing. The Statement notes that financial institutions considering outsourcing are expected to consider the risk management guidance provided by FFIEC’s Information Technology Examination Handbook. The Statement notes that the unique nature of cloud computing may require “more robust controls”, and emphasizes the following key elements of sound risk management and risk mitigation controls: (1) due diligence (including an assessment of the service provider’s ability to meet the financial institution’s requirements in terms of cost, quality of service, compliance with regulatory requirements, and risk management); (2) vendor management and control (including disengagement rights and contract provisions regarding ownership, location and format of data and dispute resolution); (3) audit rights (including the right to assess the service provider’s performance); (4) information/data security (including monitoring rights and data deletion assurances); (5) legal, regulatory and reputation considerations (including the financial institution’s ability to control access to its data and contract provisions regarding the service provider’s obligations with respect to privacy, responding to and reporting security incidents, and fulfilling security breach notice requirements); and (6) business continuity planning (including the financial institution’s ability to transition to replacement services). The Statement cautions that cloud computing may not be appropriate for all financial institutions, and that in some circumstances the use of cloud computing services may be “ill advised”.
The guidance issued by financial regulators reflects specific concerns regarding the risks associated with the use of cloud computing by financial institutions. For the most part, those risks are inherent in the unique nature of cloud computing, and accordingly the regulatory guidance is relevant to all organizations considering the use of cloud computing services.