By Cindy Williams
Choosing the right Cloud provider might sound like the realm of IT, but it often falls upon the credit union compliance officer. Either way, compliance will be part of the process. What risks should your CU be considering before signing a cloud contract? Read on to find out.
Credit union leaders from technology to marketing, lending to business development hear about “The Cloud” all the time. Generally, the sense is that this technology is the greatest thing since sliced bread. While that may be true, compliance officers should be on high alert when their credit union is talking about making the switch. That’s because partnering with the wrong cloud provider can greatly change a cooperative’s risk environment.
Why has Cloud vendor due diligence become the domain of the compliance officer, you may ask. Shouldn’t this fall to the IT department?
First, many small credit unions don’t have an IT department.Second, some of the most critical areas to examine, such as information security and disposal of member information, are most closely aligned with compliance. Third, regulators are taking a closer look at financial institutions’ third-party due diligence policies and procedures. If your credit union prefers IT to take the lead, that’s perfectly fine. Just be sure compliance is involved in the process – both before entering into an agreement and on an ongoing basis.
There are at least fiverisks to consider before signing a Cloud contract. These include:
- Overall health of the provider
- How the provider shares data
- Physical and cyber security of the provider
- Emergency and back-up plans
- Exit terms of the contract
Just a few of the indictors you can use to evaluate a vendor’s overall health are: the length of time it has been in business as well as how long it has provided Cloud services; the provider’s relationships with other third parties; and any recent litigation in which the provider has been involved.
Data Segregation& eDiscovery
How your provider shares your proprietary data is an incredibly important consideration. Ask after the vendor’s practices to understand how your information is segregated from that of its other clients. When considering this risk, keep in mind that a Cloud provider can be compelled by law enforcement and/or regulators to hand over your data even if doing so goes against its regular business practices.
Get to know more about the controls, such as encryption and physical security, that are used to ensure data is properly protected. Is the provider required to protect your data to the same level you do internally? It’s critically important for you to be satisfied that the contract will sufficiently address your credit union’s compliance with laws that govern privacy, data breach reporting and notification of members following a compromise.
Find out how the provider conducts regular backup and recovery tests as well as whether there are limits to the amount of data that can be backed up. A natural question here is how old data is deleted from the system. It’s not overreaching to ask detailed questions, such as how the provider disposes of its hardware upon replacement.
Set expectations about data breaches upfront. Inquire as to whether the provider has experienced any unauthorized access during the last year and what its plans are in terms of notifying you when compromises occur. Don’t be discouraged if the provider has suffered a recent breach. Often the experience results in an improved security system, policies and procedures vs. an attitude of “A breach will never happen here.”
Become aware of the provider’s plans for transferring member data to an alternate supplier if the need arises as well as its anticipated timeframe for data restoration in the event of a loss. What are the provider’s contingency plans during natural disasters or system outages? Does the contract include provider liability for an interruption of service or loss of data?
Lastly, will the provider accept your proposed partnership dissolution terms? Importantly, what will happen to your data upon a parting of ways or if the provider goes out of business? It’s vital to have an agreement in place that adequately covers how your data will be returned and within what time period.
To be sure, there are great benefits to moving information and access to The Cloud. It may, in fact, be the greatest thing since sliced bread. Of course, choosing which of the countless varieties of sliced bread will make up your sandwich isn’t easy.
Wheat, white, high-fiber, whole grain, low-calorie – the options and their respective risks and benefits are enough to make your head spin. At the same time, making the right decision can greatly improve your diet. Cloud technology is no different. The choices are plenty, and the right decision can have a hugely positive impact on the credit union’s overall health. Take the time to research, and be sure to document your due diligence, because regulators will want to see you’ve done your homework.
Cindy Williams is vice president of regulatory compliance for PolicyWorks,a national leader of credit union compliance solutions. She can be reached at firstname.lastname@example.org.