May 04, 2020

FFIEC statement offers clarification on managing cloud computing service risks

CapitolThe Federal Financial Institutions Examination Council (FFIEC), which includes the NCUA and CFPB, Friday issued a statement on behalf of its members to address the use of cloud computing services and security risk management principles in the financial services sector.

In the statement, the FFIEC clarifies how risk when using cloud computing services can be managed, suggesting that financial institutions may choose to leverage managed security services “to assist with managing and monitoring security for cloud computing services.”

While the statement does not contain new regulatory expectations, it highlights that management should not assume that effective security and resilience controls exist when technology systems are operating in a cloud computing environment.

On risk, the statement suggests a “careful review of the contract between the financial institution and the cloud service provider along with an understanding of the potential risks is important in management’s understanding of the financial institution’s responsibilities for implementing appropriate controls.”

NAFCU is a leader in calling for national data security standards and has continuously urged lawmakers to consider national standards for institutions that collect and store consumer information.

The association will continue to work diligently to equip credit unions with information and resources needed to protect themselves and members against all forms of banking fraud.