CLOUD REPORT n 34 n U.S. DEPARTMENT OF THE TREASURY
CLOUD REPORT n 34 n U.S. DEPARTMENT OF THE TREASURY
In addition to GLBA rules that apply to certain CFTC-regulated entities,
56
the CFTC has
implemented system safeguards requirements for certain other registered entities.
57
Those
entities must establish and maintain a program of risk analysis and oversight to identify
and minimize sources of operational risk through the development of appropriate controls
and procedures and automated systems that are reliable, secure, and have adequate
scalable capacity. In addition, the system safeguards require that those registered entities
have business continuity and disaster recovery plans suicient to enable timely recovery
and resumption of operations, generally by the next business day.
58
And for derivatives
clearing organizations (DCOs) designated by FSOC to be systemically important,
the requirement is resumption of operations two hours following the disruption.
59
Furthermore, if a DCO determines to meet any system safeguards requirement using a
contractual arrangement with another DCO or other service provider, the DCO shall retain
complete responsibility for any failure to meet related safeguards requirements and the
DCO must employ personnel with the expertise necessary to enable it to supervise the
service provider’s delivery of the services.
60
EXAMINATION AND SUPERVISION OF FINANCIAL INSTITUTIONS
Subject to the scope of each agency’s authorities, FBIIC members’ supervision and
examination of nancial institutions may include a nancial institution’s technology
operations and related risk management programs. Agencies may review a nancial
institution’s governance related to technology and cybersecurity risks, assess the nancial
institution’s risk management program for IT security and resilience, and review the
results of tests of relevant response and recovery programs to understand the resiliency of
the nancial institution’s operations and services.
61
For example, the FDIC, FRB, and OCC
review whether supervised institutions’ third-party relationships and risk management
practices are consistent with the safety and soundness of those institutions. Such reviews
may also include understanding how a nancial institution manages the risks posed by
services provided to the institution by third parties.
62
The Federal Financial Institutions Examination Council (FFIEC),
63
FHFA,
64
and others
have issued documents that provide examples of risk management practices that
56. See 17 C.F.R. Part 160; id. at § 160.30 (providing rules for “[e]very futures commission merchant, retail
foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, major
swap participant, and swap dealer subject to the jurisdiction of the [CFTC]”).
57. System safeguards requirements apply to derivatives clearing organizations, designated contract markets,
swap execution facilities, and swap data repositories. 17 C.F.R. Parts 37, 38, 39, and 49.
58. 17 C.F.R. § 37.1401(c), 38.1051(d), 39.18(c)(2) and 49.24(d).
59. 17 C.F.R. § 39.34(a).
60. 17 C.F.R. § 39.18(d)(2).
61. For example, in 2021 alone, the FDIC conducted 1,271 specialty examinations for Information Technology
and Operations at state nonmember banks, assigning an IT rating using the FFIEC Uniform Rating System
for Information Technology. See FDIC, 2021 Annual Report 29, 34, https://www.fdic.gov/about/financial-
reports/reports/2021annualreport/2021-arfinal.pdf.
62. This type of review is often referred to as “indirect supervision” of third-party services.
63. See FFIEC, Joint Statement: Security in a Cloud Computing Environment, https://www.ffiec.gov/press/PDF/
FFIEC_Cloud_Computing_Statement.pdf; FFIEC, Informa ion Technology Examina ion Handbook: Architecture,
Infrastructure, and Operations, https://ithandbook.ffiec.gov/it-booklets/architecture,-infrastructure,-and-
operations.aspx.
64. See FHFA, Cloud Computing Risk Management, AB 2018-04, https://www.fhfa.gov/SupervisionRegulation/
AdvisoryBulletins/Pages/Cloud-Computing-Risk-Management.aspx.