In brief
In response to its concerns about the potential risks associated with 'shared computing services', including cloud computing, APRA has issued an information paper that sets out prudential considerations and key principles for APRA-regulated entities using such services. Partner Michael Morris, Senior Associate Phil O'Sullivan and Associate Elyse Adams report.
On 6 July 2015, the Australian Prudential Regulation Authority (APRA) released an Information Paper on outsourcing involving shared computing services (including cloud) in recognition of the increased use of shared computing facilities by APRA-regulated entities looking to leverage economies of scale. This paper supersedes the 15 November 2010 letter to APRA-regulated entities outlining specific considerations when using cloud computing services.
The information paper highlights APRA's view that risk management and mitigation in this field is still developing and is not yet fully mature, and it encourages ongoing dialogue between APRA and APRA-regulated entities.
New key principles recommended
APRA-regulated entities are already subject to Prudential Standards CPS 231 and SPS 231, under which they are required, among other things, to consult with APRA before entering into an outsourcing arrangement involving a material business activity where offshoring is involved.
However, in response to APRA's view of the heightened inherent risks associated with shared computing services arrangements, the paper encourages prior consultation by regulated entities regardless of whether offshoring is involved.
APRA has shied away from introducing any new prudential standards in this field. Instead, this paper outlines prudential considerations and the key principles APRA-regulated entities should consider when outsourcing shared computing services (whether labelled cloud or otherwise). APRA indicates that such prudential practices would normally include:
- a well-considered strategy (that is not solely cost-driven);
- effective governance arrangements (and implementation of those arrangements);
- appropriate consideration of IT risk (including security and recovery); and
- sufficient assurance mechanisms.
Concerns re risks and weaknesses
The paper also outlines the weaknesses APRA has observed to date as part of its ongoing supervisory activities, and proposes approaches that can be taken to mitigate such weaknesses affecting systems and procedures.
The paper notes that 'hosting systems of record-holding information essential to determining obligations to customers (such as customer identity, current balance/benefits and transaction history)' could open an APRA-regulated entity up to extreme impact if disruption to those systems occurs. Such impact could result in an inability for the APRA-regulated entity to perform its obligations.
Please do not hesitate to get in contact with us if you would like to know more about the prudential considerations and key principles highlighted in the paper and how they may impact on your shared computing arrangements.