Skip to main content

Is Your Financial Institution’s Data Safe in the Cloud? FFIEC Issues Joint Statement on Cloud Computing

Terri Luttrell, CAMS-Audit, CFCS
May 11, 2020
Read Time: 0 min

Cloud computing is an efficient and cost-effective way of housing data and is becoming a mainstay for data services and infrastructure across the globe. According to the International Data Corporation (IDC), cloud computing spend is estimated to reach $277 billion in 2021, with an annual growth rate of approximately 22%.

The financial services industry is often cautious about moving data to the cloud, and rightly so with a heavy concentration of customers’ private information. Security breaches involving cloud computing highlight the importance of sound security controls and a clear understanding of cloud service providers’ risk management policies.

On April 30, 2020, the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement highlighting best practices for a financial institution’s safe and sound use of cloud computing services and safeguards to protect customers’ sensitive personal information. The statement does not address new regulatory expectations; rather, it outlines risk management best practices that give financial institutions confidence in moving to the cloud.

Keep your data secure and up-to-date using our datacenter.

Learn more

What is Cloud Computing?

Cloud computing environments allow cloud service providers to segregate and serve multiple clients on a common set of physical or virtual hardware. Three of the more common cloud service models have different levels of shared responsibilities between provider and client and are listed below: 

  • Software as a Service (SaaS)  A cloud service provider hosts your applications and all the infrastructure to support each application, providing flexibility and scalability.  
  • Platform as a Service (PaaS) – A cloud service provider sets the client up with a particular platform, and the client manages the service itself.  
  • Infrastructure as a Service (IaaS)  A cloud service provider manages the physical end of the platform in a datacenter, and the client remotely manages the virtual machine that runs on the provider’s infrastructure.  

Regardless of the hosting service a financial institution uses, the FFIEC makes it clear that risk management is the responsibility of the financial institution. When considering a provider, due diligence and sound risk management practices are critical to ensuring effective controls are in place to protect the financial institution’s and customers’ data. 

How can financial institutions mitigate the risk?

As with any data management model, cloud computing comes with varying degrees of risk associated with possible security breaches. It is crucial that financial institutions understand these risks and what to look for when selecting a cloud provider. 

  • Understanding the risk – Financial institutions should understand the risk they are accepting when choosing a cloud provider. A risk-based due diligence process is critical in vetting out vendors that do not meet the organizations risk appetite. Not every vendor used by an institution is “critical,” with most institutions reserving this risk rating for only those services that impact transaction operations. Cloud providers should be able to provide due diligence documents, such as a System and Organization Controls (SOC) report, certificate of cyber liability insurance, penetration testing summaries, and financial statements. Vendor oversight should be ongoing and documented, with critical vendor re-evaluated annually, or as needed.  
  • Know your data is secured – When working with cloud providers, it is critical to understand where your data is, how it is being secured, and what happens to customer data when services are ended. Even if a third party is hosting your data, it is still the institution’s data and your responsibility to perform adequate due diligence to gain assurance that this data is appropriately secured. Ask your cloud service providers about data encryption at rest and in transit, datacenter location, backup and redundancy, and data destruction. Also, be aware of data ownership and ensure any contracts with cloud service providers specify your continued ownership of the data requirement to securely dispose of your data at the end of the relationship. 
  • Understand User Responsibilities – Understand your responsibilities to mitigate risk as a user of cloud services. Be sure your contract defines service level expectations and control responsibilities. User entity control considerations (UECC) are often included in a service providers SOC report and should be considered and implemented by the institution as a user of the service. For example, user access controls, such as configuring employee accounts and assigning roles within the cloud service, are typically the institution’s responsibility to manage. Ensuring you understand this responsibility alleviates control gaps and helps to mitigate risk to your environment.  
  • Audit and Control Assessment – Leverage third-party attestation reports from your cloud service provider to gain assurance of the effectiveness of the control environment hosting your data. When reviewing a vendor’s SOC Report, or penetration testing, pay attention to any findings or exceptions noted in the report. These findings could be an indicator of a weak control environment and should be addressed by your vendors.  

Cloud computing has been available for many years and, when managed properly, provides a secure, effective way to manage your data and infrastructure. Abrigo offers a SaaS hosting model for our customers and is responsible for changes, upgrades, and maintenance of our applications when our hosted solution is utilized.  

Abrigo understands the requirements of our customers to perform due diligence and provide customers transparency into our security practices. All customers have access to our third-party assurance reports (SOC and penetration testing), policies and procedures, certificate of insurance, disaster recovery testing, audited financials, and more. Our datacenters are in the United States, so your data does not leave our borders. We encrypt customer data in transit and at rest. Customers have the right to request data destruction upon the termination of services. Expect the same from your cloud vendors. 

Megan Castraniio, Emily Davidson-Toman, and Edward Callis contributed to this post. 

About the Author

Terri Luttrell, CAMS-Audit, CFCS

Compliance and Engagement Director
Terri Luttrell is a seasoned AML professional and former director and AML/OFAC officer with over 20 years in the banking industry, working both in medium and large community and commercial banks ranging from $2 billion to $330 billion in asset size.

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.