The migration of personal and financial data to the cloud has highlighted, for both financial institutions and their regulators, risks associated with data breaches.  This migration has involved third-party cloud services vendors storing and processing such personal and financial data on behalf of their financial services customers.

Cloud service offerings for financial services customers are expected to comply with the myriad of laws and regulations applicable to the financial services industry, to include the Gramm-Leach-Bliley Act, FFEIC (Federal Financial Institutions Examination Council) requirements and state data protection and privacy laws.   Cloud service vendors, however, may face challenges assuming an obligation to comply with industry-specific laws and regulations.  They offer cloud services in a multi-tenant environment; their customers represent numerous industries subject to varying legal and regulatory frameworks.  Accordingly, customers may be confronted with an obligation to themselves ensure the compliance of their cloud service with industry-specific laws and regulations.

Given this dynamic, what can financial services firms do to ensure that their IT functions continue to comply with applicable laws and regulations as they migrate resources and data to the Cloud?

  • Service configuration and due diligence.

Cloud service offerings enable customers to select from a menu of controls relating to elements of the cloud service, to include access rights, back up and deletion of data, storage location, etc.  The financial services customer and vendor should cooperate in selecting and confirming controls that map to applicable legal and regulatory requirements, such as FFEIC.  To the extent a vendor already offers services to customers within the same industry, the vendor may have significant experience and resources to aid the process.  In any event, mapping out dozens of applicable controls against a regulatory framework can constitute a significant and time consuming exercise for a financial services firm.

Understand and clarify the scope of a vendor’s security commitment.

Security commitments made by the vendor to a financial services firm (in lieu of an express commitment to comply with industry laws and regulations) could be of interest to a regulator for purposes of evaluating the customer’s compliance activities.  The financial services customer should have a clear understanding of the scope and sufficiency of such security commitments.  The liability of the cloud service vendor may be limited to the scope of its security commitment.

  • Secure access rights for regulators.

From time to time, regulators may require information on and/or access to a cloud service offering.  The financial services customer should ensure that such access is contractually permitted on terms that a regulator would find useful or acceptable for purposes of determining compliance.  Such rights could include access to a vendor’s data center and personnel upon request.