WASHINGTON – NCUA and banking regulators on Tuesday said institutions that use cloud computing services may need to impose stronger risk-management controls, given the new challenges the technology carries in terms of protecting data and complying with regulations.
The regulators said migrating data to an Internet “cloud” managed by a third-party service holds potential advantages for financial institutions, such as cost reduction, speed and flexibility. But it also may require more robust controls and should be treated as a form of outsourcing, said the agencies that make up the Federal Financial Institution Examination Council.
“When evaluating the feasibility of outsourcing to a cloud-computing service provider, it is important to look beyond potential benefits and to perform a thorough due diligence and risk assessment of elements specific to that service,” said the agencies.
In fact, cloud computing might not be appropriate for all financial institutions, the agencies said.
The agencies provided a range of recommendations for ensuring sound risk management, including ensuring regulatory compliance, maintaining proper control over vendors, protecting data against security incidents and adjusting audit policies.