News Feed

Monthly OPS Notes Release: Cloud Computing

Mon, Jul 7, 2014

Columbia, Maryland

As the need to address record and information storage demands increases credit unions continually look for new cost effective methods of processing and storing information. Cloud computing is a technological advancement that can be advantageous to credit unions because of potential benefits such as: cost reduction, flexibility, scalability, improved load balancing, and speed. However every offer that sounds too good to be true should be carefully examined before being executed.

The Federal Financial Institution Examination Council (FFIEC) considers cloud computing to be another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing. The FFIEC defines cloud computing as "a migration from owned resources to shared resources in which client users receive information technology services, on demand, from third-party service providers via the Internet "cloud.""

There is a misconception that "cloud" storage is somewhere in the sky, or in the Ethernet. The truth is far less fanciful. Information technology resources provided through cloud computing services are located on a server – somewhere in the world; and that is where one of the risks of cloud computing comes into play. The FFIEC has provided guidance on Outsourced Cloud Computing to assist credit unions in determining if this is a viable solution.

When considering a cloud computing solution it is required that credit unions evaluate potential issues, including:

Data classification: How sensitive is credit union and member data that will be placed in the cloud and does the provider have controls in place to ensure it is properly protected? Does the cloud service provider appropriately encrypt or otherwise protect non-public personal information (NPPI) and other data whose disclosure could harm the credit union and its members?

Data segregation: Will the credit union share resources with data from other cloud clients? Will the data be transmitted over the same networks, and stored or processed on servers that are also used by other clients? If so, what controls are in place to ensure the integrity and confidentiality of the credit union's data?

Recoverability: Does the credit union's disaster recovery and business continuity plans include appropriate consideration of this form of outsourcing; and do the service provider's disaster recovery plans meet the regulatory and credit union's requirements?

Additionally, the credit union may have to provide additional controls to manage a cloud computing service provider. It is important to recognize this prior to contracting services so that they can be included in the overall cost of services. The need for additional due diligence stems from third party cloud computing providers being unfamiliar with the financial industry and the credit union's legal and regulatory requirements for safeguarding member information and other sensitive data.

The FFIEC asserts that the credit union must have agreements that are specific as to the ownership, location and format of the credit union's data, and dispute resolution processes. The FFIEC recommends that the credit union use an auditor to assist in the evaluation of the cloud computing provider's internal controls to ensure that they are functioning appropriately and that credit union data is segregated from other data.

Based on the risk evaluation of the credit union and the data that is stored the FFIEC recommends that in high-risk situations continuous monitoring may be necessary for the credit union to have a sufficient level of assurance that the servicer is maintaining effective controls.

Storage of data in the cloud can increase the frequency and complexity of security incidents; something the currently plagues the financial services industry. Therefore, the credit unions management process for cloud computing resources should include effective monitoring of security-related threats, incidents, and events on both credit unions and servicers networks; comprehensive incident response methodologies; and maintenance of appropriate forensic strategies for investigation and evidence collection.

Finally due to the nature of the cloud computing environment it is important to understand that often these solutions are provided overseas, due to the cost benefits. If this is the case the provider may not be aware of or comply with the myriad of regulatory requirements credit unions must comply with, including: privacy, security incidence response, record retention, and information technology requirements.

Careful consideration must be made when reviewing outsourced cloud computing service providers. To assist the credit union in this endeavor a new Cloud Computing Policy, Policy 4350, is being introduced in the June 2014 CU PolicyPro quarterly update.


Source:  CUPolicyPro, Michigan Credit Union League