While cloud-based solutions have become commonplace for a large portion of U.S. financial institutions today, many have chosen to forego adopting this form of technology due, in part, to increased concern for the security of storing information remotely.
For those community banks interested in secure cloud technology, the problem can be selecting the right partners from a large pool of cloud-based solutions. How does your bank determine which company will best work with your existing technology, support your business objectives and address cloud concerns? For this reason, the Federal Financial Institutions Examination Council recently re-issued its previous guidance on vendor management to address the concerns many institutions — rightfully and wrongfully — relate to the cloud.
The FFIEC’s guidance on managing outsourced cloud vendors was put into place to serve as a step-by-step process to ensure that banks of all sizes select the right cloud provider and understand how to successfully manage the relationship once a vendor has been selected.
In a way, each section of the guidance is similar to the process a bank goes through to ensure the institution’s physical security. Failure to take the right precautions could result in a robbery of cash and resulting bad press and lost customers, or in the case of cloud computing, compromised customer data and costly fines.
The first step to selecting a viable cloud provider lies in fully understanding the inner workings of the solution. This means performing the necessary due diligence to adequately grasp how the solution works and how it will be used.
Based on the FFIEC’s guidance, some questions to ask when selecting a cloud-provider may include:
Weigh Your Options
The next section of FFIEC guidance emphasizes vendor management and determining how to monitor the vendor’s performance. Similar to understanding what kind of agreement it is entering into when contracting an armored car service, a bank should be confident in the ability of the vendor it chooses. This means researching the vendor, its data security certifications and track record, and the procedures it follows as safeguards.
Cloud vendors unfamiliar with the industry — or the legal and regulatory requirements they must adhere to — may lead a bank to more closely monitor performance or reconsider the relationship altogether. At the same time, a community bank must be aware of its own obligations to the cloud vendor based on the contractual terms agreed to by both parties.
The FFIEC guidance specifies key areas to investigate before signing an agreement should a disengagement of service occur. These areas include the ownership, location(s) and format(s) of data and dispute resolution.
Put the Vendor to the Test
While understanding the safety measures a vendor has in place to protect a bank is extremely important, seeing the vendor in action can provide insight into the success or failure of the safety controls. Community banks need to determine firsthand the adequacy of the vendor’s internal controls to evaluate the potential risks they may encounter.
These internal controls can be validated and assessed by third-party data security reports and certification. These include two widely recognized standards; SOC-2 Type 1 and Type II (Service Organization Controls) as well as SAS 70 (Statement on Auditing Standards). In addition, vendors may offer monthly security reporting, and transparency around their system infrastructure’s uptime and downtime, and data threat protection.
As part of the issued guidance on cloud vendor management, the FFIEC suggests working with auditors to evaluate all vendor actions that can impact a bank. The FFIEC also advises that banks may need to adjust internal audit practices by bringing in new employees or providing new training practices to successfully evaluate the vendor’s abilities to the fullest extent.
Conduct Routine Maintenance
As with all new products and services introduced into a business, community banks need to be particularly aware of how secure their information is once it is entered into the vendor’s system. The FFIEC warns that security adjustments may need to be implemented to ensure both internal and external security risks are taken into consideration. A good cloud partner will be able to counsel a community bank on what security measures to add or update to ensure any and all potential areas of risk are addressed.
Banks are urged to conduct frequent maintenance checks to ensure the safety of their information. This entails a bank keeping detailed records of the data located on the cloud, logged reports each time the data is accessed and who accessed the data. Additionally, the FFIEC urges banks to verify the cloud vendor’s data handling procedures, the availability of data backup and any other customers or service providers using the same outsourced platform.
Set the Vault
While internal security is still a significant concern for any community bank, those choosing to outsource data to the cloud should be particularly aware of how their vendor would handle a potential data breach. The vendor’s business continuity plan can be thought of as a branch’s safety features, such as locks, vaults and alarms.
The FFIEC warns banks to not only be aware of the vendor’s business continuity plan, but also understand its ability to recover data and resume operations quickly should an unforeseen incident occur. Having a firm grasp on how the vendor would handle a potential breach can significantly decrease the negative impact of a data breach just as using dye packs can minimize the risk of loss in a robbery.
The fact of the matter is, not all cloud solutions present a security risk to community banks choosing to store important information and data in the cloud. The key lies in knowing what to look for in a cloud provider. By doing the necessary homework and knowing exactly what the bank needs, bank executives will feel much more confident in migrating information to the cloud and will benefit from the cost savings and efficiency it enables.
In the end, choosing to make the jump to the cloud and asking the right questions when selecting a provider should mirror the steps taken in choosing a core or armored car service to ensure the best decision is made for the bank.
Pierre Naudé is CEO of nCino in Wilmington, N.C. Contact him at 910-777-5382 or www.ncino.com.
Copyright (c) January 2013 by BankNews Media