Is It Time to Get Your Head Out of the Clouds?
No matter the asset size, a credit union's cloud computing services require a massive amount of due diligence.
Henry David Thoreau famously urged us to build our castles in the sky, but always have our foundations on the ground. Personally, I think that’s a great dictum to remember as your credit union, regardless of its size, considers how best to manage the integration of technology into a cloud environment. On the one hand, cloud computing offers the promise of cost-effectively providing a host of technology for your employees and members, which can allow you to grow quicker. On the other hand, cloud computing presents unique risks and challenges of which your credit union must be aware of and, where possible, take steps to mitigate.
Because, as I like to say, I’m paid to be paranoid, I want to talk about some of the risks and how the growth of cloud computing places even more emphasis on understanding and delineating the respective legal responsibilities of your credit union and vendors.
First, let’s get our language straight. While there is no uniform definition of the cloud, here is a common contract definition that I found in the ever-helpful Law Insider Contract Database; “an Information System having the essential characteristics described in NIST SP 800-145, the NIST Definition of Cloud Computing. For the sake of this provision and clause, Cloud Computing includes Software as a Service, Platform as a Service and Infrastructure as a Service, and deployment in a Private Cloud, Community Cloud, Public Cloud or Hybrid Cloud.”
NIST refers to the National Institute of Standards and Technology, which describes the “essential characteristics of cloud computing services.” The definition also demonstrates that your institution’s interaction with the cloud can take many forms, including Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS). The industry is dominated by a handful of technology heavyweights including Amazon, Microsoft and Google.
Surveys indicate that the vast majority of financial institutions are already using at least some SaaS. But remember, you are also being impacted by the indirect use of various cloud services by your vendor, or your vendor’s vendor. In other words, your credit union is more connected to the cloud than you may realize.
So, what does this mean? In February, the Treasury Department released a report detailing the challenges that both banks and credit unions face as they migrate to cloud computing services. The concerns highlighted by the Treasury include insufficient transparency to support due diligence and monitoring by financial institutions; gaps in human capital to deploy cloud services; exposure to potential operational incidents, including those originating at a cloud service provider, and “dynamics in contract negotiations given market concentration.”
I’m always nervous to suggest reading material, but this is one government report that I think is worth taking the time to read and understand.
All of these are issues that the industry is confronting. Personnel issues are front and center as they seem to be with every other issue these days. At Thursday’s NCUA board meeting, during his semi-annual cybersecurity briefing for the board, Ernie Chambers, Critical Infrastructure Division director in the NCUA’s Office of Examination and Insurance, noted how one of the most important steps credit unions of all sizes can take to avoid misconfiguration of their systems to the cloud is to understand service contracts and service-level agreements. Misconfiguration of a credit union’s computer systems with a cloud service provider can compromise networks. Unfortunately, at that same briefing, it was also noted that credit unions, particularly small ones, are confronting a shortage of IT professionals.
For years now, the importance of due diligence when onboarding third-party providers has been drummed into credit unions. And of course, this responsibility doesn’t end once the vendor is selected. This is why your most important contracts should include a provision allowing for the auditing of vendor activities. But as the Treasury report noted, given the size and concentration of the cloud industry, meaningful audits are not a realistic option; after all, as many credit unions have learned when dealing with their core service provider, large companies are reluctant to provide too much access to their inner services. This lack of access underscores the need to gain ongoing access to documentation such as reports detailing auditor findings.
There is also a perception that information placed in the cloud is somehow inherently safer. This may or may not be true. But given the information that is being stored on these servers, it’s essential to ensure that you have notice when a cloud service has been compromised. Again, the Treasury department report suggests that cloud service providers are reluctant to provide notice of data breaches. This will come as no surprise to anyone who has dealt with major vendors following service disruptions, but it does lead your credit union with a potential blind spot when it comes to Personally Identifiable Information (PII).
Given the size of the institutions we are dealing with and the centrality of cloud computing services to our economy, clearly there has to be more robust government oversight of the major Cloud Service Providers. They are as important today as the railroads were to the growth of our economy in the 19th century or the automobile industry was in the 20th. But in the absence of government action, one of the most basic and important steps your credit union can and should take, regardless of its size, is to understand precisely how dependent the services it provides are on the cloud. Simply talking to your vendors is a good first step.
The growth of cloud computing, coupled with a lack of adequate regulations, also underscores why it is so important to not only try to negotiate fair contract arrangements but to make sure that you understand and execute on your side of the bargain. This means not only reviewing the contract but also drafting service-level agreements which specify in detail who has what responsibilities and what the consequences are going to be for nonperformance.
Don’t get me wrong, I’m not suggesting that your credit union can or should be afraid of exploring cloud based services. All I’m suggesting is a thorough understanding of how this information framework is and will continue to impact your credit union should be a major focus of your credit union’s due diligence efforts irrespective of its size.
Henry Meier is the former General Counsel of the New York Credit Union Association, where he authored the popular New York State of Mind blog. He now provides legal advice to credit unions on a broad range of legal, regulatory and legislative issues. He can be reached at (518) 223-5126 or via email at henrymeieresq@outlook.com.