Banks Should Heed Internal Watchdog’s Critique of the FDIC’S Transition to Cloud Computing
A recent survey of bank executives reported that cloud computing was a top-five spending priority and eight out of ten respondents indicated that at least twenty percent of their operations would be in the cloud by the end of 2023. For many banks, the transition to cloud computing is a cost-effective means of improving customer services and the use of cloud-based services may provide a platform for the introduction of innovative, fintech-based products. Yet, despite the widespread availability of proven cloud computing solutions, many banks struggle with the decision to move sensitive customer information to a cloud environment. The decision requires a thorough risk management review, a comprehensive vendor risk assessment, and the development of a sound strategy for the management of data once it enters the cloud. That’s why banks considering cloud computing may find it helpful to review the Federal Deposit Insurance Corporation (“FDIC”) Inspector General’s (“IG”) recent report on the FDIC’s own adoption of cloud computing services.
Like many banks, the FDIC’s strategic plan contemplates the movement of most of its “mission essential” and “mission critical” systems to the cloud. In 2023, the agency had thirty eight percent of systems in the cloud on seven cloud platforms. But following a cloud computing strategy requires the adoption of sound governance processes to manage the associated risks. Like many banks, the FDIC did many things right as the agency moved to a cloud-based environment. But the IG identified several areas of weakness that are instructive for any bank that moves essential operations to the cloud:
- The IG found that the FDIC did not have data governance requirements for data stored in the cloud and did not maintain a proper inventory of cloud-based data.A data governance framework that provides the user with information on what data is stored in the cloud and where the data is stored is critical to the management of privacy and security concerns.
- The IG found that the agency did not have a strategy that describes when and how to exit a cloud provider relationship.As dependency on cloud-based solutions grows, banks that move operations to the cloud need an exit strategy that ensures minimal disruption to operations if the decision is made to move to a new provider.
- The IG found that the FDIC did not have a contract management plan to ensure that expected deliverables were received and that any performance risks and contract vulnerabilities were mitigated.A move to the cloud is a major expense for any bank, and a process must be in place to identify and address a cloud vendor’s performance deficiencies.If contract management is inadequate, the bank’s resources may be used inefficiently, and operational issues may disrupt the delivery of critical banking services.
- The IG found that the FDIC did not have a process to decommission legacy systems.When bank systems migrate to the cloud, a tandem process is necessary to decommission the related legacy systems.This process includes consideration of record retention protocols, cost effective exiting of legacy system contracts, and the disposition of legacy system hardware.A failure to manage the decommissioning process may increase bank expenses and could expose the data stored in legacy systems to cybersecurity risk.
The IG report is reminiscent of the kind of inquiry that examiners typically make at institutions that utilize cloud services and brings to mind the old tale of the shoemaker’s children going barefoot. A review of the report is recommended reading at banks thinking about moving key systems to the cloud.
Disclaimer
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.