APRA's new draft guide; "Managing Data Risk" – how does your business manage its risk?
The Australian Prudential Regulation Authority (APRA) has recently released a draft "Prudential Practice Guide PPG 235 Managing Data Risk" (Guide) article which is open for discussion until 29 March 2013. The Guide seeks to assist the organisations APRA regulates, being authorised deposit-taking institutions (ADIs), insurers and super funds, in "managing data risk" by outlining what APRA regards to be sound information management practices.
The Guide is complementary to APRA's 2009 "Prudential Practice Guide 234 Management of security risk in information and information technology" guide and goes further to address issues which APRA has identified as areas of potential weakness in the industry.
Whilst being deliberately non-prescriptive, the Guide highlights APRA's expectations and provides an insight into what is being considered by the body. For instance, the Guide highlights that APRA considers outsourcing and offshoring activities exacerbate risks with data management and therefore APRA expects regulated institutions to ensure they are able to: comply with legislative and prudential requirements, continue operating after loss of services, retain the ability to maintain critical or sensitive information and allow regulators unimpeded access to fulfil their functions.
Whilst these are important factors to consider, and it can be said that to a degree, offshoring and outsourcing information can exacerbate risks, these are just two of the risk factors in a considered approach to the management of information risk. Jeffrey Bleich, the US Ambassador to Australia, writing in The Age on 11 December 2012, cautioned against the fear of global information management, labelling it "cloud protectionism", whose followers he analogised to those who keep their money hidden under mattresses in fear of the banks.
The reality is, irrespective of the location of information, the primary risks facing businesses are still significant. For instance, risks posed by the possible theft of a company laptop or employee misuse of information remain and hackers don't care where the data is held when they attack websites, but these are risks which businesses may be more accustomed to when compared to the comparatively recent risks and relative unknowns involved in outsourcing and offshoring. Ultimately, there are a range of factors that businesses need to take into account when managing their information; outsourcing and offshoring are only part of the risk matrix to be considered.
Information management strategies continue to evolve reactively to new business practices or technological advancements. Whilst APRA has taken steps, with the draft Guide, to address what has been currently perceived as information management weaknesses in the industry, businesses should also be aware that the Australian Government has introduced new restrictions, through recent amendments to the Privacy Act 1988 (Cth) (Privacy Act Amendments).
The Privacy Act Amendments include the introduction of the Australian Privacy Principles (APPs) and a wide range of provisions dealing with credit reporting. Relevantly, the APPs will restrict the ways businesses use or disclose personal or sensitive information and will have ramifications for the international disclosures of information. Businesses should start preparing now in order to be compliant with the Privacy Act Amendments, which will come into force in March 2014. More information about the APPs can be found here.
APRA's latest draft Guide turns the spotlight onto information management, which is an ever present issue for many responsible businesses and one that needs appropriate attention. It would be unfortunate, however, if the Guide is interpreted to unduly stress that offshoring and outsourcing are the greatest risks to data security. Businesses should be aware that in house measures are just as at risk. Proper engagement with your outsourcing and offshoring providers should identify and address the risks and manage your information with potentially better expertise than your business' in house expertise. For assistance with your information management, contact the Middletons Technology team.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
