People like to joke about the amorphous nature of “the cloud.” It’s neither here nor there but also everywhere.
While the cloud may seem mysterious to the layperson, there shouldn’t be anything secretive about your third-party vendors’ cloud use. If your vendor is housing any of your client or sensitive data on the cloud, you need to know about it.
Should Vendors Use the Cloud?
Examiners expect your institution to have a specific policy on cloud use. That means your institution needs to dedicate resources to understanding what role the cloud will play in data management. There are many questions to consider. In what situations is cloud use acceptable? What controls should be in place to manage cloud use?
Some institutions may wish to avoid the cloud altogether to eliminate the risk. This may ultimately prove impractical, if not impossible, as cloud computing becomes more prevalent. The cloud is increasingly prevalent and likely here to stay. Electing not to use the cloud may severely limit your institution’s technology options and offerings over time.
Your policies and procedures should demonstrate that you understand the potential risk of the cloud, are aware of the specific security implications, and have controls in place to mitigate that risk.
Due Diligence & Vendor Agreements
Relationships with third-party vendors hosting client or sensitive data on the cloud need to be carefully researched and managed with due diligence measures.
It’s essential to carefully review vendor agreements. That includes:
Requiring disclosure of cloud use. Your contract should specifically require a vendor to disclose if it or one of its vendors store your data on the cloud or if your data is moved to the cloud. You don’t want to discover that you’ve unknowingly been storing your institution’s data on the cloud.
Outlining the controls in place to protect data. Use your vendor agreement as a tool to ensure your vendor understands the importance of safeguarding Gramm-Leach-Bliley Act (GLBA) protected and other sensitive data. Your agreement should make clear your vendors commitment to following regulations and best practices for protecting data, including data stored on the cloud. These controls should be consistent with your institution’s cloud policy and mitigate risk.
Ensuring access to tools to review IT controls and policies. It’s your business to know how your vendor stores and protects GLBA protected and other sensitive data. From SSAE 18s to audit results to penetration test results, your contract should guarantee access to reports and other documents demonstrating your vendor is proactively protecting data.
Notice of breach. Does your third-party vendor need to tell you if there is a security breach? The reality is that many vendors will be silent unless they are contractually obligated to disclose a breach. A contract needs to require notice of breach. More than that, it needs to define what constitutes a breach, how long a vendor has to report the breach, and the option to terminate the contract in the event of a breach.
Subcontracting assignment. Can the third party transfer their rights and responsibilities to a third party, including moving data to a third party’s cloud? If agreement is silent, then it is assignable.
As more vendors move to cloud-based services like Amazon Web Services, it becomes increasingly important to understand how vendors are using third parties. This is known as fourth-party risk. Contracts should require a financial institution’s notice and consent before a vendor can outsource to another vendor, including one that uses the cloud.
If the vendor won’t agree to that provision at a bare minimum the vendor should at least be willing to tell you about the change so your institution can operationalize around it based on who the vendor is and its level of security. This will help you govern relationships and protect information.
Termination clauses. In the event of a breach, your institution needs the ability to exit the vendor relationship without penalty. It’s bad enough to lose data. It only makes things worse to have to pay for a product or service your institution discontinued using because you deemed it unsafe.
Insurance. Is the vendor required to maintain insurance? If so, what type? Does it fit the services being provided, whether it’s an internet application or bill pay? Is cybersecurity included in errors & omission coverage? There are over 30 types of cybersecurity coverage in the United States. It’s important to make sure the coverage your vendor has will cover a breach.
The contract should address these topics, requiring adequate levels of insurance to cover liability or a breach. The vendor should be required to provide annual certification of insurance. No matter how many cybersecurity measures are in place, it’s important to have a deep pocket to go after if a breach occurs.
A carefully drafted contract along with proactive monitoring can help ensure that cloud-based vendors are taking the responsibility of protecting your institution’s data seriously and give you recourse in the event of a breach.
To learn more about managing third-party cyber threats, check out our whitepaper Guarding Against Cybersecurity Threats: Assessing Third Parties and Measuring What Matters.