Managing Cloud Vendors

Ensuring Data Security Is Bank VP's Responsibility
Managing Cloud Vendors
Bank regulatory guidelines for cloud providers highlight due diligence, and organizations that don't adequately screen vendors face trouble. Troy Wunderlich of Washington Trust Bank offers tips for vendor managers across industries.

Outsourcing data backup and other functions to cloud providers can help with business continuity and disaster recovery, says Wunderlich, the vice president and operational risk manager at Washington Trust Bank, a $4 billion institution based in Spokane.

But choosing the right one involves asking the questions, reviewing audits and examinations, and consistently testing recovery capabilities.

Vendor Management

In July 2012, the Federal Financial Institutions Examination Council issued a resource for banking institutions to follow when choosing a cloud computing vendor (see FFIEC's New Cloud Info 'Disappointing').

But Wunderlich says most of the regulatory mandates guidelines included in that resource relate to vendor management.

"The FFIEC's guidelines ... reiterated a lot of the vendor management standards they had mentioned before."

From a compliance perspective, banking institutions have to know that the cloud vendors they work with follow certain standards, such as those set by Statements on Standards for Attestation Engagements, he says.

SSAE 16 is an internationally recognized third-party assurance audit. "Part of SSAE 16 and really understanding what type of encryption they offer," Wunderlich says.

Most cloud vendors that cater to financial services providers are examined by federal banking regulators, Wunderlich adds. Requesting copies of those examination reports is an essential component of the due diligence banking institutions should perform on vendors before they sign a contract, he says.

Really understanding the vendor's encryption practices, for instance, is key, Wunderlich explains.

"[Banking institutions need to] Understand the vendor they're going to be working with," he adds.

During this interview, Wunderlich discusses:

  • The benefits the cloud offers for disaster recovery and business continuity;
  • How working with a third-party vendor offering other banking services can prove beneficial; and
  • Why ongoing and regular testing of cloud recovery capabilities must be part of an institution's due diligence.

At Washington Trust, Wunderlich oversees IT and physical security, and manages the bank's anti-money-laundering practices and fraud-prevention compliance programs. He also is responsible for risk management and internal controls, as well as vendor management, business continuity planning and policy-review oversight. Wunderlich is a certified information security manager.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.