Managing Cloud VendorsEnsuring Data Security Is Bank VP's Responsibility
Outsourcing data backup and other functions to cloud providers can help with business continuity and disaster recovery, says Wunderlich, the vice president and operational risk manager at Washington Trust Bank, a $4 billion institution based in Spokane.
But choosing the right one involves asking the questions, reviewing audits and examinations, and consistently testing recovery capabilities.
In July 2012, the Federal Financial Institutions Examination Council issued a resource for banking institutions to follow when choosing a cloud computing vendor (see FFIEC's New Cloud Info 'Disappointing').
But Wunderlich says most of the regulatory mandates guidelines included in that resource relate to vendor management.
"The FFIEC's guidelines ... reiterated a lot of the vendor management standards they had mentioned before."
From a compliance perspective, banking institutions have to know that the cloud vendors they work with follow certain standards, such as those set by Statements on Standards for Attestation Engagements, he says.
SSAE 16 is an internationally recognized third-party assurance audit. "Part of SSAE 16 and really understanding what type of encryption they offer," Wunderlich says.
Most cloud vendors that cater to financial services providers are examined by federal banking regulators, Wunderlich adds. Requesting copies of those examination reports is an essential component of the due diligence banking institutions should perform on vendors before they sign a contract, he says.
Really understanding the vendor's encryption practices, for instance, is key, Wunderlich explains.
"[Banking institutions need to] Understand the vendor they're going to be working with," he adds.
During this interview, Wunderlich discusses:
- The benefits the cloud offers for disaster recovery and business continuity;
- How working with a third-party vendor offering other banking services can prove beneficial; and
- Why ongoing and regular testing of cloud recovery capabilities must be part of an institution's due diligence.
At Washington Trust, Wunderlich oversees IT and physical security, and manages the bank's anti-money-laundering practices and fraud-prevention compliance programs. He also is responsible for risk management and internal controls, as well as vendor management, business continuity planning and policy-review oversight. Wunderlich is a certified information security manager.