When Peoples Bank & Trust's email system crashed earlier this summer, it turned to a hosted solution to ensure future continuity, and thus triggered an emerging and muddled compliance challenge many banks face.
"The email crash took us down a couple of days. Email is very important to the function of the bank, so we couldn't take that risk of a crash again," says Robert Porter, vice president and IT director at the bank, a $275 million-asset community bank based in Hazard, Ky. The bank moved its entire email system to a hosted Safe Systems solution called SafeSysMail. It's also using an email archiving and encryption service from Safe Systems. For a bank that only has two IT workers, the move to a hosted environment is expected to save about $80,000 over the next three years.
But in so doing, the bank is also putting itself under the purview of a new statement from the FFIEC that's designed in part to address the growing use of cloud computing services by banks. While the bank says it's confident that it's in compliance, the guidance has come under fire in the bank tech industry for an alleged lack of precision in defining cloud computing and specific risks that could create security gaps.
"The FFIEC guidance does not spell out what you need to do, it's a document that talks about things to be concerned about," says Rod Nelsestuen, a senior research director at CEB TowerGroup.
The FFIEC defines cloud computing as a migration from owned resources to shared resources in which a client receives information technology services on demand from third party service providers via the "internet cloud."
While definitions of cloud computing vary, the FFIEC's definition is on the broader end of the spectrum. Since Peoples' email outsourcing deal is being hosted, managed and delivered electronically to the bank's staff by an external provider, the bank is making sure the program adheres to the FFIEC's new cloud guidance. Safe Systems' email hosting carries the new certifications often used to vet cloud providers.
The FFIEC statement, issued earlier this summer, says banks need to perform a risk assessment of the providers of cloud services as per its definition of the cloud. That includes vetting how the provider classifies data sensitivity, and what controls are in place to protect data. Other issues such as data segregation and disaster recovery are also included in the guidance, as well as whether the service provider is sharing facilities with other firms. The FFIEC is stressing the importance of ensuring data can be protected and securely removed from all locations where it is stored outside of the bank.
There have also been other attempts to define cloud computing and its risks. Last year, the Open Data Center Alliance - which includes large banks such as JPMorgan Chase, UBS and BBVA - adopted security and transparency guidance that the institutions use to vet cloud vendors. The European Commission, a regulatory body tied to the European Union, also recently issued guidance that includes a list of more than a dozen issues that should be covered in contracts between banks and cloud vendors - including data erasure protocols, security practices, and guarantees that the cloud provider and all subcontractors only act on instructions form the cloud client.
Shirley Inscoe, a senior analyst at Aite Group, says the criticisms of the FFIEC suggest the U.S. guidance is "high level" and treats cloud computing like another kind of outsourcing. "There's not even a general consensus of what the term cloud means. There are a lot of [cloud] vendors that say they can do everything under the sun for a low cost."
Inscoe says the guidance touches on most issues, "but you have to anticipate that bankers will read between the lines and they really have to be knowledgeable about the issues connected to cloud computing that aren't spelled out in the guidance. That's fine when you are talking about large financial institutions, but for smaller institutions and credit unions where they can't afford the in-house expertise, it's a disappointing document," Inscoe says.
She says that for smaller banks that may not be particularly knowledgeable about cloud computing, it would be wise to consult with an internal or external consultant who has expertise in outsourcing.