Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


FFIEC outlines best practices on the use of cloud computing

Jun 24, 2020

Financial institutions are turning to the cloud during COVID-19 as a way to allow employees to work from home, but that transition comes with some risks.

To help, the Financial Institutions Examination Council (FFIEC) recently issued guidelines on best practices for financial institutions using cloud computing.

The technology within cloud computing environments is advanced and has the potential to be secure; however, the FFIEC emphasizes that management cannot assume a cloud environment is safe. Management must understand the financial institution’s responsibilities as well as those of the cloud provider to ensure necessary security controls are in place.

This is true regardless of whether the cloud services used are Software as a Service (SaaS), Platform as a Service (PaaS) or Infrastructure as a Service (IaaS). These are all types of cloud offerings, and the security responsibilities of the financial institution’s management and the cloud provider vary depending on which type it is.

It is important to review the contract to be clear about what your responsibilities are in your cloud environment. Financial institutions should also be sure to review their cloud providers on an ongoing basis to make sure the providers are staying compliant with their responsibilities.

The FFIEC outlines some of the key risk management practices that financial institutions should consider:

  • Cloud computing as part of the financial institution’s strategic plan
  • Ongoing due diligence
  • Clearly defined contract responsibilities
  • Inventory of information assets
  • Security configuration, provisioning, logging and monitoring
  • Identity access management
  • Controls for sensitive data
  • Security awareness training for employees
  • Change management controls
  • Disaster recovery and incident response
  • Ongoing testing and auditing of controls

These considerations regarding cloud environments, along with a review of the cloud provider’s SOC examination report as part of a comprehensive information security management program, can help a financial institution manage risks within its organization.

IT environments change rapidly, which is why it is important to take a risk-based approach to managing them. This includes cloud environments as well as any on-premises environments in use at your financial institution.

Want to learn more?

Our team of cybersecurity and cloud specialists can perform an IT controls review specialized to your financial institution’s needs. Wipfli can help you meet and even exceed regulatory requirements. By performing an IT controls review, you can identify and evaluate your risks, the quality of your IT controls and how well protected your critical assets are. Learn more.


Thomas J. Loring, CISA
Senior Manager
View Profile
Deepening connections
See how we drove our clients’ success — and our success — in FY22.
Learn more