By Toby Duthie, Partner, Forensic Risk Alliance
The chances are you’ll use a cloud based application today but are you aware of the risks this seemingly benign technology could pose to you as an individual or the financial institution you work for? The banking and financial sectors have been drawn to the cloud as wired and wireless broadband internet speeds continue to increase and the proliferation of smartphones and tablets that are big on processing power, but small on hard drive storage, show no sign of abating. From a practical point of view, the cloud also offers a range of cost savings that come about because it has the ability to bring together applications and software within a pool of centrally located servers and allow access to them from any remote location. But it’s not without its risks.
Risk 1: International data protection laws
Cloud-based working necessitates placing company data – potentially including customers’ confidential financial information – on third party servers in data warehouses that could be located anywhere in the world. This carries a potential risk for financial institutions as they could come into conflict with local privacy laws. Keep in mind that data protection laws and rights are applied in the territory in which the data is stored, rather than where it is generated, modified or created. Those with responsibility for assessing operational risk within financial institutions would, therefore, be very wise to have a conversation with their IT department – ideally before a cloud service contract is signed – and check the location of all their provider’s servers.
Risk 2: Data Monitoring By US Intelligence Agencies
Concerns are growing across all industries, but particularly within the global financial community, that the collection of metadata relating to phone calls by US intelligence agencies may well be extended to include Internet metadata. This could feasibly encompass emails, video and voice over IP and social media content stored in the cloud. President Obama’s speech at the start of 2014 did nothing to ease these concerns – in fact it suggested in stronger terms than before that data entering the US through tech companies such as Google, Apple, Dell and Yahoo (to name just a few) could well be subject to wholesale access and monitoring in the future. Financial organisations should be aware that once their data is shared with a third party service provider with a US footprint (such as a cloud service provider or social network site), the expectation of privacy offered by the US Constitution’s fourth amendment risks being forfeited.
Risk 3: How Far Does US Law Actually Reach?
It could be argued that even if a US cloud service or remote back-up and recovery company has servers in a foreign country (which could by feasibly be deemed a “US server”) that server and the data on it could still be subject to FISA (Foreign Intelligence Surveillance Court) rules and related court orders. Time will tell if Microsoft’s servers located outside the US will fall into this category, and if its status as a US company makes the location of its servers irrelevant. This is an important issue for banks and financial services companies that use cloud-based applications powered by US companies. By their nature, cloud-based applications require companies to place their data on third party servers in data warehouses that could be located in the US (or on servers outside the US that are by managed and maintained by US companies). In response to NSA spying revelations, financial organisations need to think seriously about how and where they store their data. Many business leaders might now be asking if the ease-of-use and cost-saving benefits of using applications like Google Docs, Apple’s iCloud and DropBox – or other cloud computing offerings – are worth the risk. Businesses may also be starting to legitimately ask if their regular data back-up and protection policies, which might include making remote back-ups to US-based data centres could bring them into conflict with ever tightening European data protection laws. We strongly recommended that financial, corporate and personnel related data is always housed in its jurisdiction of origin or one that carries similar protections. However, in the light of Obama’s speech, this has never been more important for companies to consider as they assess their data storage, back-up and access policies and weigh up how much use to make of cloud-based computing in their daily work.
Risk 4: Data protection vs. data disclosure
Adopting a cloud computing strategy across the globe can expose multinationals operating in the financial sector to contradicting laws in different countries. For example, if a French company (which is subject to French data protection laws) takes out a service contract with a cloud provider that centrally stores its email data in the US, the company makes itself vulnerable to breaking both French and US laws in the event of US litigation or investigation – even if that data was created or modified outside the US or France. The company may wish to comply with a US discovery request, or US government subpoena, but will need to resolve the conflict that this creates with stringent French data protection and other laws which preclude the transmittal of data outside of France. And the penalties on both sides can be very high, data protection breaches carry fines in the millions as well as criminal sanctions in some countries, and the failure or inability to respond to US discovery risks penalties or even spoliation fines which can be significantly higher. Keep in mind that the same is true in reverse – i.e. for US companies using a cloud service provider based in France.
Risk 5: Where does your cloud service provider store its back-up data?
Find out where your cloud services provider backs up copies of your data (they all make copies of client data to maintain 24/7 access and to offer service level guarantees). Ask for the backups they make of your data to be stored in the same location you specified for your original data and applications. FRA strongly recommends that high-risk data – such as financial, corporate and personnel related data is always housed in its jurisdiction of origin or one that carries similar protections. Emails are often highly sensitive in EU jurisdictions and carry strong data privacy rights, which makes transmitting or producing them outside of their jurisdiction of origin, not just risky, but potentially illegal. So, if you can’t get a location-based guarantee from your cloud provider then think very carefully about that data and applications you put into a cloud environment – and carry out a full risk assessment.
Risk 6: Fraud in the cloud…
These days, personal and corporate information is a currency and there are unscrupulous people willing to break the law to get their hands on it and then trade with it. In order to prevent theft of fraudulent activity financial institutions should familiarise themselves with their cloud service provider’s own security policies and determine what procedures are in place to control access to information they hold. In particular they should:
ñ Ask their cloud service provider about its policies on passwords, laptop and portable device use by staff, personal software download policies and their tolerance of cyber-slacking.
ñ Get their IT departments to check the kind of encryption used by their cloud service provider to transport data.
It’s important to make sure these two points are built into any risk assessment of cloud service providers as carelessness in any of both these areas has the potential to expose cloud service providers to data leakage and information theft as well as increasing the possibility of malware getting onto their servers. All of which can compromise data held by financial organisations.
Cloud computing provides many benefits but security, privacy and legal matters must be carefully considered and continuously surveyed. It is likely that, in the not too distant future, companies relying on cloud computing will be subject to litigation along with their cloud service providers. It is, therefore, imperative your organisation fully understands the legal, security and privacy issues that surround the technology before implementation – and that, once deployed, board members, legal teams and IT departments all work together to stay one step ahead to avoid cyber law headaches as well as potential incidents of fraud and corruption.
Editor’s note on FRA:
Forensic Risk Alliance (FRA) is a consulting firm with offices in the US, UK, France and Switzerland. It helps businesses to resolve complex and high-risk financial, legal and regulatory challenges. Its people provide independent, conflict-free advice and litigation support services, often in the local language as its team speaks virtually all of the world’s key business languages, including most European languages as well as Arabic, Mandarin and Cantonese Chinese, Malay and Bahasa Indonesia. FRA collects and analyzes data for use in legal disputes and investigations (often cross-border) in a number of areas, including litigation, fraud, bribery and corruption investigations. The company has extensive worldwide project experience in Latin America, Asia, Europe, Africa and the Middle East. FRA is one of only ten companies in the world approved to carry out validation audits for the EITI (Extractive Industries Transparency Initiative) which evaluate how well a country’s government conforms to the EITI’s standards of transparency in reporting revenue received from the extraction of natural resources. Members of the FRA team also provide expert witness testimony in court when required and have recently contributed two chapters to the Serious Fraud Office’s book ‘Serious Economic Crime – a boardroom guide to prevention and compliance’. For more information, please visit www.forensicrisk.com
About the Author:
Toby Duthie is one of FRA’s co-founders and heads its London office. With experience in cases involving government enforcement in the UK and the US, his expertise lies in internal and regulatory investigations, data protection and complex financial modeling, with particular experience in global, multi-jurisdictional cases. Toby was instrumental in the development of FRA’s service in the anti-corruption and white-collar defense arena across Europe. He spent more than five years in the US, gaining extensive experience advising on damages amounts in a number of complex civil and criminal litigations and in connection with a number of high-profile FCPA enforcement actions (e.g. Panalpina, Bonny Island LNG and Oil for Food). He has also worked on matters involving the UK, Swiss and French regulators.
Toby Duthie, Partner, Forensic Risk Alliance
Phone: +44 (0)20 7 269 7837
Cyber-slacking: The act of avoiding work and/or other responsibilities by scouring the internet in search of games or other non-work related amusements. Cyberslacking is estimated to cost companies billions of dollars a year and has forced some companies to block or limit access to certain types of web sites.