The Australian Prudential Regulation Authority (APRA) has released an updated information paper ‘Outsourcing involving cloud computing services‘ on the use of shared computing services by APRA-regulated entities.
The update is a response to APRA’s observation of the growing use of cloud computing services by APRA-regulated entities, an increasing appetite for higher inherent risk activities, as well as areas of weakness identified as part of supervisory activities.
Since 2015, there has been a continuous evolution of both cloud computing service offerings and APRA-regulated entities’ risk management.
Generally, service providers have strengthened their control environments, increased transparency regarding the nature of the controls in place, and improved their customers’ ability to monitor their environments. APRA-regulated entities have also improved their management capability and processes for assessing and overseeing the services provided.
The updated paper reflects APRA’s more open stance on cloud usage.
When APRA released its first information paper on the subject in 2015, it expressed reservations about the use of the cloud for initiatives with heightened or extreme inherent risk.
APRA recognises that the risks associated with the use of cloud computing services will depend on the nature of the usage, and for the purposes of the paper APRA has classified these risks into three broad categories: low, heightened and extreme:
- For arrangements with low inherent risk not involving off-shoring, APRA would not expect an APRA-regulated entity to consult with APRA prior to entering into the arrangement.
- For arrangements with heightened risk, APRA would expect to be consulted after the APRA-regulated entity’s internal governance process is completed.
- For arrangements involving extreme inherent risk, APRA encourages earlier engagement as these arrangements will be subject to a higher level of scrutiny. APRA expects all risks to be managed appropriately commensurate with their inherent risk. However, for extreme inherent risk, APRA expects an entity will be able to demonstrate to APRA’s satisfaction, prior to entering into the arrangement, that the entity understands the risks associated with the arrangement, and that its risk management and risk mitigation techniques are sufficiently strong.
In a recent speech APRA Chair Wayne Byres observed:
The new paper acknowledges advancements in the safety and security in using the cloud, as well as the increased appetite for doing so, especially among new and aspiring entities that want to take a cloud-first approach to data storage and management. To be clear, cloud usage is not without risk – but nor is the status quo. In addition to reinforcing steps to minimise the risks of cloud usage, the information paper also summarises observed weaknesses that industry must continue to focus on. And while cloud usage, as with all other shared service arrangements, involves a degree of shared responsibility, boards and senior management of regulated entities remain ultimately accountable for the security of their data. That accountability cannot be outsourced.