WASHINGTON (7/11/12)--Credit unions and other financial institutions should clearly identify and mitigate legal, regulatory, and reputational risks before they decide to use cloud computing for data storage and other computing purposes, the Federal Financial Institutions Examination Council (FFIEC) said in a Tuesday release.
In cloud computing, data are not held in one central spot, but are shared among different servers and locations.
Outsourcing to cloud computing providers can help reduce costs and improve the flexibility, scalability and speed of data use and storage, the FFIEC said. However, credit unions and other institutions should perform adequate due diligence before any moves to such systems are made, and should be aware of cloud-specific security and regulatory issues.
Cloud computing is another form of outsourcing, with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing, the FFIEC said.
Financial institutions should assess the strength of any cloud computing firm's internal controls, and examine their own data security standards, before moving forward, the FFIEC suggested. Cloud storage could increase the frequency and complexity of security incidents, the FFIEC noted. The regulators said financial institutions and cloud computing providers should ensure that their firms effectively monitor their systems for security-related threats, and be sure to have appropriate forensic strategies for investigation and evidence collection in the event of a security breach.
Cloud computing also can create new compliance issues if customer data are stored or processed overseas. Overseas data storage can make it more difficult for financial institutions to assess compliance. Also, due diligence may be more complex and difficult in an environment where the cloud computing service provider processes and stores data overseas, the FFIEC warned.
For the full FFIEC release, use the resource link.