InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC asks how cloud computing affects competition and data security
On March 22, the FTC announced it is seeking information on cloud computing providers’ business practices with respect to the potential impact on competition and data security. FTC staff noted that the agency is also interested in how cloud computing is impacting specific industries, including healthcare, finance, transportation, e-commerce, and defense. The request for information (RFI) solicits feedback on a range of issues, including (i) market power and competition (e.g. do particular segments of the economy have to rely on a small handful of cloud service providers); (ii) contract negotiation flexibility; (iii) incentives given to customers to ensure they obtain more of their cloud services from a single provider; (iv) security risks (e.g. what are the data security implications if particular segments of the economy rely on a small number of cloud service providers, and are these providers competing on their ability to provide secure storage for customer data); (v) products or services tied to artificial intelligence; and (vi) how cloud providers identify and notify customers of security risks related to security design, implementation, or configuration. Comments on the RFI are due May 22.
NIST Seeks Comments on Cloud Computing Security Document
On June 11, the National Institute of Standards and Technology (NIST) published a draft security document that provides a comprehensive security model to supplement other NIST efforts to develop a standard vocabulary and implementation framework for the integration of cloud-based applications across the government. NIST will accept comments on the draft document through July 12, 2013. Although NIST’s resources are developed for use by federal agencies, they can influence other policy decisions and may serve as a resource for private firms seeking to understand the benefits and risks of cloud technology.
FFIEC Issues Statement on Cloud Computing Vendors
On July 10, the federal banking regulators, through the Federal Financial Institutions Examination Council (FFIEC), published a statement on outsourcing of cloud computing services by financial institutions. The statement explains that the regulators consider cloud computing to be another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing. The statement goes on to outline the key risks of outsourced cloud computing, focusing on due diligence, vendor management, information security, audits, legal and regulatory compliance, and business continuity planning. The statement concludes that “[c]loud computing may require more robust controls due to the nature of the service. When evaluating the feasibility of outsourcing to a cloud-computing service provider, it is important to look beyond potential benefits and to perform a thorough due diligence and risk assessment of elements specific to that service.”