Vendor risk management is an ongoing process—one that begins with due diligence before a contract is signed and continues with monitoring throughout the length of the relationship. This blog series on the Top 10 Risks will help you more effectively address third-party vendor risk throughout every department in your financial institution.
#1 Cloud Risk
Perhaps there’s no buzz word more confusing to bankers and credit union executives than the “cloud.” It evokes an ethereal image of data floating safely and serenely overhead, able to materialize on screen with the press of a button.
But the cloud is a place on earth. Actually, many places on earth.
The cloud is basically a bunch of data centers. Using the cloud is buying space on someone else’s infrastructure to store and/or process data which you can then access via the Internet. Sometimes these computers are used exclusively by one institution, known as a private cloud. Other times, several clients use a cloud, known as a shared cloud.
The cloud faces all the same risks as any other third-party IT vendor—cyber risk, reputation risk, operational risk, etc. After all, it’s a physical location with all the same inside and outside threats any organization faces. But its growing use and importance is undeniable—and it’s starting to attract regulator attention.
For now, the only agency to release something official on cloud risk is the FFIEC and its 2012 statement on Outsourced Cloud Computing in 2012—but don’t let that give you a false sense of security. Regulators are looking closely to see that institutions are aware of cloud risk and are taking steps to mitigate or lower the risk.
The FDIC has highlighted it as an existing and emerging risk—a sign that cloud risk is not to be ignored.
Specifically, the FDIC suggests institutions ask:
- What is the type of cloud? (Private or shared)
- Who has access to the data?
- Where is the data?
- Is the data backed-up?
- What is the third-party’s control structure?
- Can you perform effective/on-going due-diligence?
- How difficult is it to disengage?
While financial institutions are concerned with cybersecurity risk, cloud service providers create their own unique risks in vendor management, and these risks need to be evaluated beyond just the normal cybersecurity risks.