The Australian Prudential Regulation Authority (APRA) has released an information paper on prudential considerations and key principles in relation to outsourcing computing services including shared computing services.
The information paper focuses on ‘shared computing services’ which refers to arrangements involving the sharing of IT assets with other parties (whether labelled cloud or otherwise). This excludes those arrangements where IT assets are dedicated to a single APRA-regulated entity (including ‘private cloud’ arrangements).
APRA’s review of these arrangements Under CPS 231 and SPS 231 has identified some areas of weakness.
Usages having an extreme impact if disrupted include, in particular, hosting systems of record holding information essential to determining obligations to customers (such as customer identity, current balance/benefits and transaction history).
Under CPS 231 and SPS 231, regulated entities are required to consult with APRA prior to entering into an outsourcing arrangement involving a material business activity where offshoring is involved.
Similarly, when the use of shared computing services involves heightened inherent risks, APRA encourages prior consultation, regardless of whether offshoring is involved. The intent is to ensure that the APRA-regulated entity has adequate capability to understand and manage the heightened risks.
Heightened inherent risk derives from either an increased likelihood of a disruption or where a disruption would result in a significant impact.
Use of shared computing services with low risk
Examples of shared computing usage with low risk include:
- shared facilities, with each entity’s IT assets located on separate hardware; and
- shared infrastructure hosting the following:
applications and data stores with low criticality and sensitivity (as classified by the APRA-regulated entity);
non-production environments (e.g. test and development) populated with desensitised data; and
websites that deliver publicly available information.
Use of shared computing services with heightened inherent risk
Arrangements involving highly critical and/or sensitive IT assets that result in either an increased likelihood of a disruption or where a disruption would result in a significant impact.
Typically heightened inherent risk would be present where one or more of the following apply:
- exposure to un-trusted environments;
- exposure to environments where tenancy is available to non-financial industry entities (i.e. ‘public cloud’);
- unproven track record of: the provider, the shared computing service, the specific usage, the control environment, or the APRA-regulated entity in managing an arrangement of comparable size, complexity, and/or risk profile;
- high degree of difficulty in transitioning to alternate arrangements;
- provider has a high degree of freedom to alter the underlying service and control environment;
- inability for an APRA-regulated entity to assess the design and ongoing operational effectiveness of the control environment;
- jurisdictional, contractual or technical considerations which may inhibit operational oversight or business continuity in the event of a disruption (including impediments to timely access to documentation and data/information); and/or
- transition to the arrangement involves a complex, resource intensive and/or time-constrained program of work.
Use of shared computing services that, if disrupted, can have an extreme impact
Hosting systems of record holding information essential to determining obligations to customers (such as customer identity, current balance/benefits and transaction history).
Bright Corporate Law provides advice on legal, regulatory and contractual compliance issues relating to IT outsourcing.