On April 30, 2020, the US Federal Financial Institutions Examination Council (FFIEC), an interagency group of federal and state banking regulators, issued guidance on “Security in a Cloud Computing Environment.”
The FFIEC guidance focuses on security risk management principles and the financial services sector’s use of cloud computing, and supplements its publications on outsourcing of Information Technology (IT) services, Outsourcing Technology Services and Supervising and Supervision of Technology Services Providers, and its cybersecurity resources.
The FFIEC reminded financial institutions that while the detailed 11 page document does not constitute a new regulatory requirement, it was intended to provide guidance focusing specifically on the “safe and sound use” of those services and measures that can be taken to protect customer information.
The FFIEC also cautioned financial institutions that a failure to develop and implement a risk-based approach to use of cloud computer services could constitute “an unsafe or unsound practice” as well as “placing consumer-sensitive information at risk.”
In drafting the document, the FFIEC also drew on guidance issued by other agencies such as the National Security Agency (NSA) and the Center for Internet Security (CIS).
After discussing the various ways in which financial institutions can utilize cloud computing services, whether by hosting the applications themselves or depending upon the service provider’s resources, the FFIEC guidance provided several examples of the risk management practices that should be utilized in assessing and implementing internal controls for utilization of cloud computing environments:
- Governance, including how the use of cloud computing fits in with the financial institution’s strategic plan
- Cloud security management, including adequate due diligence, a service provider contract that sets out clearly the responsibilities of each party, proper network controls, ongoing oversight, and effective training
- Change management, including effective controls for transitioning a financial institution’s systems to a cloud computing environment
- Resilience and recovery, including ensuring financial institutions have the appropriate risk-based recovery and resilience and incident response capabilities
- Audit and controls assessment, including regular testing of internal controls and oversight of the service provider that focuses on the unique aspects of cloud computing services, as well as data destruction
The FFIEC guidance provides several examples of the unique risk aspects of cloud computing, including management of virtual infrastructure through cloud security tools such as the use of “containers” in cloud computing environments, referred to as microservices.
For example, using as an analogy a person storing his or her own data in a box, would that person rather store the data in a container with other third party containers in a storage facility, or have a separate storage facility with only his or her own boxes? The first choice has a lower cost and somewhat less security than the second choice. Some financial institutions use the second method (either by using their own computers or dedicated premises to store data). However, moving to the cloud can lower costs for financial institutions if they store their containers in the cloud with other financial institutions’ containers.
If the financial institution opts to share space in the cloud, the FFIEC recommends:
- Storing data outside the container so that data does not have to be re-created when updating and replacing containers
- Verifying that configurations prevent containers from unintentionally interacting and tainting each other
- Securing containers from applications within them
- Securing the cloud host from the container and vice versa
- Monitoring containers for vulnerabilities and updating or replacing containers when appropriate
- Container-specific security solutions need to be developed to ensure effective monitoring because containers may obscure activities, making traditional security controls, such as firewalls, insufficient with respect to containers
In addition, the FFIEC recognized that some cloud service providers may “seek to limit a financial institution’s ability to perform their own security assessment due to potential performance impacts.” The FFIEC stated will allow financial institutions to utilize independent reports such as system and organizational control (SOC) reports. The FFIEC also permitted management to “use the security tools and configuration management capabilities provided as part of the cloud services to monitor security.”
The FFIEC’s guidance underscores the fact that while a financial institution is able to outsource various functions to a third party service provider, it can never outsource its liability if something goes wrong .
Norton Rose Fulbright has a useful database of FinTech materials for those who are interested in learning more about the subject.