15th November 2010
To: ADIs, GIs, LIs (including Friendly Societies)
OUTSOURCING AND OFFSHORING
Specific considerations when using cloud computing servicesAlthough the use of cloud computing1 is not yet widespread in the financial services industry, several APRA-regulated institutions are considering, or already utilising, selected cloud computing based services. Examples of such services include mail (and instant messaging), scheduling (calendar), collaboration (including workflow) applications and CRM solutions. While these applications may seem innocuous, the reality is that they may form an integral part of an institution’s core business processes, including both approval and decision-making, and can be material and critical to the ongoing operations of the institution.
APRA has noted that its regulated institutions do not always recognise the significance of cloud computing initiatives and fail to acknowledge the outsourcing and/or offshoring elements in them. As a consequence, the initiatives are not being subjected to the usual rigour of existing outsourcing and risk management frameworks, and the board and senior management are not fully informed and engaged.
Accordingly, APRA wishes to emphasise the need for proper risk and governance processes for all outsourcing and offshoring arrangements, including cloud computing. Key prudential concerns that should be addressed relate to the potential compromise of:
- a financial institution’s ability to continue operations and meet core obligations, following a
- loss of cloud computing services;
- confidentiality and integrity of sensitive (e.g. customer) data/information; and
- compliance with legislative and prudential requirements.
Additionally, APRA’s ability to fulfil its duties as prudential regulator should not be compromised.
APRA’s prudential regulation
While APRA has no specific prudential requirements in this area, the principles in the following
materials are pertinent to cloud computing:
- Outsourcing: Prudential Standards APS231, GPS231 and LPS231 and Prudential Practice
- Business Continuity: Prudential Standards APS232, GPS222 and LPS 232, Guidance Notes
AGN232 and GGN222 and Prudential Practice Guide PPG233; and
- Management of security risk in information and information technology: Prudential Practice
Guide PPG234. Pertinent areas include risk management, resilience and recovery (including
offshore IT assets) and service provider management.
Materiality and risk assessmentsRegulated institutions are reminded that, under the prudential standards on outsourcing, they are required to consult with APRA prior to entering into any offshoring agreement involving a material business activity. The definition of ‘material’ refers to circumstances where arrangements have the potential, if disrupted, to have a significant impact on the institution’s business operations or its ability to manage risks effectively (refer to the prudential standards on outsourcing for further details).
As part of their consultations with APRA, regulated institutions are expected to provide a comprehensive risk assessment. This would typically include an assessment of the specific arrangements underlying the services offered, the service provider, the location from which the services are to be provided and the criticality and sensitivity of the IT assets involved. APRA would expect the risks to be periodically reassessed in line with the institution’s risk management framework.
In APRA’s view, both materiality and risk assessments necessitate a detailed understanding of the extent and nature of the business processes (including those pertaining to decision-making and support), the technology architecture and the sensitive information (customer or other) impacted by the outsourcing arrangement. APRA has observed that, to date, assessments of cloud computing proposals typically lack sufficient consideration of these factors.
As part of its regular onsite review processes, APRA will continue to examine outsourcing/offshoring arrangements of regulated institutions, including those involving cloud computing, to ensure prudential concerns are adequately addressed.
Should you have any questions or comments, please contact ...
Supervisory Support Division
1 The term generally describes a delivery model where dedicated or shared IT assets (software, hardware and data/information) are consumed as a service. This can involve the provision of IT assets by a third party located offshore.
Wednesday, November 17, 2010
Banks Warned About Cloud Computing
Australian financial institutions have been warned about the use cloud computing by the Australian Prudential Regulation Authority. APRA issued "Outsourcing and offshoring - Specific considerations when using cloud computing services" (15 November 2010). This is in a letter to "Authorised Deposit-taking Institutions", including banks, building societies and credit unions. A similar letter was sent to superannuation funds.