FFIEC Joint Statement on Risk Management for Cloud Computing Services
Summary:
The FDIC, as a member of the Federal Financial Institutions Examination Council (FFIEC), is issuing the attached statement addressing the use of cloud computing services and security risk management principles in the financial services sector.
Statement of Applicability to Institutions under $1 Billion in Total Assets: This Financial Institution Letter (FIL) applies to all FDIC-Supervised Financial Institutions.
Highlights:
- Inherent in the use of cloud computing services are shared responsibilities between the provider and the client. The attached document identifies responsibilities financial institutions would have when contracting with cloud computing providers.
- The attached document provides examples of risk management practices for a financial institution's safe and sound use of cloud computing services and safeguards to protect its customers' sensitive information from risks that pose potential consumer harm.
- The attached document includes a list of public and private sector resources and references that can assist financial institutions with managing cloud computing services.
Suggested Distribution:
FDIC-supervised financial institutions and their service providers
Suggested Routing:
Chief Executive Officer
Chief Information Officer
Chief Information Security Officer
Paper copies of FDIC FILs may be obtained through the FDIC's Public Information Center, 3501 Fairfax Drive, E-1002, Arlington, VA 22226 (1-877-275-3342 or 703-562-2200).