CLOUD-BASED DISASTER RECOVERY IN THE FINANCIAL SECTOR
— IS IT TOO RISKY?
There’s no doubt that outsourcing cloud-based data vaulting, recovery and archival can be risky, especially considering that cybersecurity threats are increasing. On top of that, the Federal Financial Institutions Examination Council (FFIEC) IT Examination HandBook, Appendix J holds you responsible for evaluating the business resiliency of each third-party technology service provider (TSP) — and their subcontractors.
Third-party compliance is costly and time-consuming as it is. In fact, 38 percent of financial institutions participating in a PwC survey had 1,000-10,000 active third-party relationships. Almost 25 percent had more than 10,000! With that being the case, extending your resources to cover fourth-party TSP risks seems impossible.
The Challenges of Keeping Disaster Recovery In-House
But what’s the alternative to outsourcing? To bring those disaster recovery functions in-house? That has its own risks, considering that human error is the root cause of 52 percent of data breaches. Most reported incidents were attributed to the following causes:
- Failure to follow policies and procedures (both by end users and IT staff)
- Lack of expertise
- Inadequate knowledge about new threats
- Plain and simple carelessness
Keeping services in-house might make it easier for you to tick regulatory checkboxes, but it doesn’t necessarily improve your data and network security.
Outsourcing the Right Way
Contrary to what you may think, not only is technology outsourcing feasible, but it could actually help you adhere to compliance obligations, if done right.
The key is to partner with a third party that's experienced in serving the financial services industry and is familiar with FFIEC guidelines. This type of vendor can ease your third- and fourth-party risk management burden by having third-party SOC 2 audits conducted, providing critical documentation related to business continuity practices, being transparent about subcontractor relationships and involving any necessary resources in tests. They should also be able to provide service level agreements (SLAs) that fulfill FFIEC requirements.
In addition, a single vendor can often provide several services, such as network security, cloud vaulting, infrastructure as a service (IaaS) and data archival. By consolidating services, you can spend less time monitoring multiple vendors.
Reducing Risk With BlackVault Managed Recovery Platform
As a disaster recovery and business continuity services provider serving the financial sector, we know how to meet the unique needs of financial institutions. Our fully managed BlackVault Managed Recovery Platform offers several integrated cloud-based data and network security services.
To learn more about BlackVault Managed Recovery Platform, click below.