Heading into 2020, investments in companies providing cloud computing services were on fire. Various research firms (hereOff-site link and hereOff-site link) estimate that worldwide spending on public cloud services is growing at a compound annual growth rate that falls between 15 percent and more than 22 percent. As cloud computing matures, many financial institutions are considering the benefits that it can provide. In an October 2019 report on a worldwide survey of bankers, a vendor reportedOff-site link that just over half of all bankers surveyed indicated that they currently have or plan to have a cloud adoption strategy in place within the next two years. Keep in mind that this survey was administered before COVID-19 changed, at least temporarily, the business environment.

Because so much work, banking, and commerce occurs remotely, demandOff-site link for cloud computing has risen. Although cloud computing can offer advantagesOff-site link, financial institutions need to assess and monitor the risks just as they do with other third-party providers. This may be why the Federal Financial Institutions Examination Council (FFIEC) thought the timing was right to release a statement in late April on Security in a Cloud Computing Environment Adobe PDF file formatOff-site link.

A key takeaway from the FFIEC statement is that even though cloud providers have controls in place, or offer controls, to create a secure environment, the "buck" ultimately stops with the financial institution. It remains the financial institution's responsibility to ensure that proper security protocols are in place based on the service level agreement with its cloud providers. As with other third-party relationships, financial institutions are responsible for ongoing oversight and monitoring of their cloud providers. It may be necessary for a financial institution to implement security protocols above and beyond what cloud providers offer.

Cloud computing can make our lives easier, as evidenced by those who have been able to work remotely during the past few months. But we must also recognize the risks it poses and mitigate those as much as possible. Although the FFIEC statement doesn't contain any new regulatory expectations, it does provide excellent guidance along with a multitude of resources and references for financial institutions seeking information on cloud computing risk management. By employing effective risk management practices, financial institutions can minimize the risks of the cloud becoming a storm cloud and keep the sun shining brightly on a secure environment!

photo of Doug KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed