APRA releases information paper on outsourcing involving shared computing services, including cloud

The Australian Prudential Regulation Authority (APRA) today released an information paper on prudential considerations and key principles in relation to outsourcing involving shared computing services, including cloud.

APRA Cloud Update

While shared computing services may bring benefits, such as economies of scale, they also bring associated risks. These can vary considerably depending on the particular usage. Low risk usages are those involving IT assets with low criticality and sensitivity.  Other usages involve heightened risk, such as the exposure of highly critical and/or highly sensitive IT assets to ‘un-trusted’ environments, necessitating a greater degree of caution and supervisory interest. For these arrangements, APRA encourages prior consultation.

The information paper also discusses weaknesses that APRA has identified as part of its ongoing supervisory activities, reflecting that risk management and mitigation techniques are yet to fully mature in this area. In particular, it is not readily evident that ‘public cloud’ arrangements have reached a level of maturity commensurate with usages having an extreme impact if disrupted.

Usages having an extreme impact if disrupted include, in particular, hosting systems of record holding information essential to determining obligations to customers (such as customer identity, current balance/benefits and transaction history).

Copies the information paper are available on the APRA website at:
www.apra.gov.au/adi/Publications/Pages/other-information-for-adis.aspx