FFIEC discusses cloud computing risk management practices
On April 30, the FFIEC released a statement on risk management principles for cloud computing security in the financial services sector. The FFIEC emphasizes that the statement does not contain new regulatory expectations, but rather highlights examples of risk management practices for the safe and sound use of cloud computing services, along with safeguards for protecting customers’ sensitive information from risks that may cause potential consumer harm. Among other things, the statement stresses that management should understand the division of responsibilities between a financial institution and a cloud service provider in order to assess and implement appropriate controls over operations to prevent the increased risk of operational failures or security breaches. The FFIEC also addresses the importance of protecting customer-sensitive information from unsafe or unsound practices by implementing “an effective risk management process for cloud computing commensurate with the level of risk and complexity of the financial institution’s operations residing in a cloud computing environment.” The statement provides a list of government and industry resources and references to assist financial institutions when using cloud computing services.