FFIEC Releases Position Paper on Cloud Computing Outsourcing

Security Concerns for Financial Institutions and Cloud Services

Jason Ray is a senior director in the Technology Practice of FTI Consulting. This column first appeared at InsideCounsel.com, a sister site of Credit Union Times.

The Federal Financial Institutions Examination Council released a statement Tuesday highlighting key elements that financial institutions need to address before deciding whether to outsource cloud computing services.
In its summary statement, the FFIEC said financial institutions have to consider the “fundamentals of risk and risk management defined in the FFIEC Information Technology Examination Handbook (IT Handbook), especially the Outsourcing Technology Services Booklet (Outsourcing Booklet).”
The outsourcing booklet reviews specific issues of cloud computing such as data classification, data segregation and recoverability. The booklet also addresses vendor management, information security, legal, regulatory and reputational considerations, business continuity planning and auditing.
“The FFIEC statement is quite timely because there has been a lot of buzz about cloud computing and how cloud computing can help financial services,” said David Albertazzi, a senior IT analyst with the Aite Group in Boston.
“There are a lot of compelling benefits in cloud computing, but there are a lot of considerations as well. Up until now, there hasn’t been much from regulatory agencies which specifically addresses cloud computing, so the statement is very welcome,” Albertazzi said.
The statement revealed no surprises about FFIEC’s outsourcing guidelines, he said.
“The fundamentals of risk and risk management defined in the IT Handbook apply to cloud computing as they do to other forms of outsourcing. Cloud computing may require more robust controls due to the nature of the service,” the FFIEC position paper reads in part.
“When evaluating the feasibility of outsourcing to a cloud-computing service provider, it is important to look beyond potential benefits and to perform a thorough due diligence and risk assessment of elements specific to that service. As with other service provider offers, cloud computing may not be appropriate for all financial institutions,” the paper said.

Companies are quick to incorporate cloud computing into their business functions, and with all the benefits the cloud offers, it's easy to understand why.
Software-as-a-Service (SaaS) platforms, like Salesforce.com, allow employees to conduct their work more efficiently and at a reduced cost to the company. Meanwhile, personal cloud-computing networks, such as LinkedIn, have become important marketing and recruiting tools.
Yet, despite all the good that cloud computing has to offer, the potential risk exposure it presents is enough to keep in-house counsel up at night.
Legal departments are just beginning to understand how cloud computing may impact e-discovery, and the initial reaction of many corporate counsel is to exert extensive control over the flow of electronic information. However, as the landscape of cloud-based apps and social media changes on a daily basis, attempting to control the actions of employees is becoming an impossible task.
The key then is not to control information in the cloud, but to concentrate on risk mitigation and defensibility. The way to do this is to understand the technology, develop proactive policies and establish management and audit procedures.

Understanding the tech
No one expects in-house counsel to become tech experts. However, corporate lawyers should at least have an awareness of the technology that exists. Without a basic understanding of the spectrum of solutions available, it is impossible for legal to develop effective policies.
Attending tech-oriented CLE events and seminars is a good way to stay in the know about developments in business and personal technology that may affect your company. You also should have an open dialogue with your IT department to understand the type of cloud-based applications that your company uses. In addition, IT can help you determine what information lives where, whether on the corporate network or one held by a third-party provider.

Developing the policies
Once you know the technology your employees use and the types of data stored, you can begin to develop proactive policies around application usage that will help mitigate your risk should a matter arise. The purpose of these policies is to minimize the scope of potential e-discovery collection efforts in advance of litigation by establishing a list of company-approved applications. What should remain off this list is any technology that does not provide some means of oversight.
For example, regardless of what tactics a company employs, it is nearly impossible to prevent employees from sending personal emails while at work. Thus, the key is not to quash the behavior, but rather to set some guidelines. One way to do this is to implement a policy that states your corporate email system is the only email system employees can use, whether for work-related or personal emails.
The point is that you can't stop employees from acting. There is a high likelihood that they will not consistently adhere to policy. Instead, in-house counsel should enact policies that limit the scope of company-approved technology, thereby minimizing data collection efforts in the event of a discovery request.

Managing, auditing and updating
Of course, no policy is worth the paper it is written on if you cannot adequately manage and audit it. To ensure the defensibility of your directives, you will need to establish a procedure that informs and reminds employees of your technology policies, especially if it is discovered that an employee has run afoul of them.
You will also need to develop a means to audit this process. By maintaining records that reflect your continual commitment to your policies, you can increase defensibility should your opponent raise any objections. For example, if opposing counsel makes a broad request for all information that may be potentially relevant to a case, you can argue that you only need to search the data stores identified on your company-approved list, granted you have the audit trail to prove proper policy management.

Finally, technology is rapidly evolving. Each day, dozens of new mobile applications go public while companies like Facebook and LinkedIn are constantly tweaking their social media platform. It is important to keep abreast of the market and to regularly update your policies and procedures to reflect any new technology.

Best practices for the cloud
The following are some best practices that you should consider incorporating into your cloud-computing policies and procedures. Understand that the purpose is not to curb behavior but to proactively limit the scope of your collection efforts by identifying approved cloud-based platforms.

• Before investing in a SaaS application, do your due diligence. Understand what information is accessible and what reporting functions are included. Many of these applications were not intended for e-discovery, so you will need to know if the technology has the functionality to comply with a discovery request. Include your IT department in the conversation with your prospective vendor.
• After a matter arises, determine the relevant custodians and question them to understand what technology they use and what data they store where. Doing so will increase the defensibility of your actions.
• Don't automatically assume you need to search social networks like Twitter and LinkedIn for potentially responsive information. Social media relevance is case-specific —just because information is available there does not mean it is relevant. Concerns about IP theft? Social media may be critical. Patent infringement? Not so much. Question your custodians first to determine how they use such sites, verify if the case requires expanding to these sources, and then determine if collection is necessary.
• If you must exert some control over your employees, consider logging their Internet activity to keep records of what cloud-based technology they use. In addition, you may want to instruct IT to put a hold on a custodian's Internet cache once litigation arises.