With all the recent focus on vendor management in general, and cloud vendors in particular, there has been a lot of discussion about changing regulatory requirements and best practices. For the most part, cloud vendors must adhere to the same due diligence, contract, and monitoring guidelines as any other vendor However there are a few (often overlooked) elements that must be considered prior to engaging any cloud-based vendor. Elements important enough to be deal breakers if you (and they) can’t answer “yes”.
- Do they contractually hold themselves to the same high data privacy, security, confidentiality, integrity and availability standards required of financial institutions? It used to be understood that anyone offering services to financial institutions had to contractually adhere to GLBA guidelines, but with all the relatively new vendors competing for your business, it can’t be assumed or taken for granted any more. Make sure the contract stipulates it.
- If so, can they document adherence to that standard by producing a third-party report, like the SOC 2? Even if the contract stipulates adherence, you must determine the adequacy and effectiveness of a servicer’s internal controls by requesting, receiving and reviewing the appropriate third-party report prior to engaging…and then periodically throughout the relationship.
- Do you know exactly where your data will be physically stored? Both the biggest strength and the biggest weakness for cloud vendors is in the redundant and distributed nature of the data. Having data stored multiple times in multiple locations throughout the country is great for high availability, but makes it almost impossible to ensure compliance with your policies for proper handling and storing of information. You must know where you data is located at all times, and how it gets there. And if your data is transmitted or stored outside the U.S., you’ll need to understand the rules and regulations of the hosting country.
- Will they retain and destroy information consistent with your internal data retention policies? Internal retention and destruction policies must be observed regardless of how or where the data is stored. If the data is stored in multiple locations, are all occurrences destroyed? There may be additional regulatory and legal exposure if data is either destroyed too early, or retained too long.
- What happens to your data once your relationship with the vendor is terminated? The vendor disengagement process is particularly challenging with cloud vendors because you can’t simply walk away any more than you can just throw out a hard drive. Is the data irretrievably wiped, or simply deleted? What about the encryption keys?
- Do they have a broad and deep familiarity with the regulatory requirements of the financial industry? According to the most recent statement from the FFIEC on managing cloud vendors, because of the increased legal and regulatory risks, “managing a cloud computing service provider may require additional controls if the servicer is unfamiliar with the financial industry”.
- If so, are they willing and able to make changes to their service offerings necessitated by those requirements? Even if the vendor demonstrates adequate familiarity with the financial industry, are they willing to make the necessary changes in their services if and when regulations change? Unless financial companies make up the majority of their clientele, they may not be, and “under such circumstances, management may determine that the institution cannot employ the servicer.”