Financial services cloud computing regulation has been saved
Financial services cloud computing regulation
Cloud security risk management principles
Financial services institutions increased reliance on cloud service providers (CSPs) and the critical roles CSPs often play to support their operations have increased certain risks and created new risks to manage. This page provides news, strategies, and insights to help institutions manage cloud computing risks and regulations.
FFIEC statement on risk management for cloud computing services | May 21, 2020
On April 30, 2020, the Federal Financial Institutions Examination Council (FFIEC), on behalf of the bank regulators issued a joint statement to address the use of cloud computing services and security risk management principles in the financial services industry. The statement represents a continuation of increased regulatory attention and oversight of cloud computing within the industry. The recommendations within the statement represent close alignment with other global regulators and encourage financial services institutions (FSIs) to consider their risk management practices as it relates to usage of the cloud in the domains of:
- Information security;
- Business continuity planning;
- Third-party risk management;
- Privacy and data protection; and
- Record retention practices
While the widespread adoption of cloud computing by FSIs have led to many benefits, the increased reliance on cloud service providers (CSPs) and the critical roles CSPs often play to support their operations, have also increased certain risks and created new risks for these FSIs to manage. The statement recognizes that regulatory expectations have been heightened for increased risk management and enhanced cloud computing controls that are not only the responsibility of the FSI but are shared responsibilities between the FSIs and the CSPs; however, the ultimate responsibility lies with the FSI, particularly when safeguarding customer information. Recognizing the statement does not specifically prescribe any new requirements, it is intended to reinforce considerations that are recognized by the banking regulators by highlighting the following:
- Application of sufficient oversight and governance of the CSP(s)
- Clearly defined roles and responsibilities, control ownership matrices between the FSI and the CSP (as well as governance of the FSI over the CSP), and level of oversight and monitoring procedures to ensure effectiveness
- Balancing of benefits of cloud computing while weighing the costs and requirements to operate within risk tolerance levels and mitigating factors (as necessary)
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional adviser.
Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.