The Australian Prudential Regulation Authority (APRA) is
concerned that financial institutions are too optimistic about the
benefits of cloud computing and have overlooked the associated
risks that exist with these technologies.
APRA, which regulates the financial sector, has released an
Information Paper expressing their concerns regarding weaknesses in
cloud outsourcing arrangements where IT assets are shared between
entities (shared computing services). This is specifically
differentiated from those services where IT assets are dedicated to
a single entity. APRA states that while this has occurred for many
years, there has been an increase in the 'volume, materiality
and complexity' of these arrangements, including the sharing of
software across industries. Its concern is not the maturing
technology itself, but what it sees as a lack of commensurate
increase in risk management considerations.
These concerns do not seem to be shared by Australian
ABS survey released in July 2015 showed that nearly 60% of
companies stated that there were no factors which limited or
prevented the use of paid cloud computing. The top five reasons for
not adopting paid cloud computing services were:
Several other weaknesses identified in APRA's review of
these outsourcing arrangements include:
inadequate consideration of controls to ensure data
limited due diligence and assurance activities undertaken
impediments placed on APRA's access rights to the service
Under APRA's prudential outsourcing standards CPS 231 and
SPS 231, regulated entities are required to notify APRA within 20
business days if their material business activities are being
outsourced. If outsourcing arrangements are offshore,
APRA-regulated institutions are required to consult with APRA prior
to entering into these agreements. This is to ensure entities have
fully understood and able to address the heightened risks.
What makes shared computing services a concern to APRA is not
the maturing technology itself, but the lack of risk management and
governance to protect the security of the data. In a further sign
that this topic may continue to be scrutinised by APRA, earlier
this year Bank of Queensland was forced to write off $10 million on
their cloud-based customer relationship program system after they
failed to meet operational and regulatory requirements.
Our Forensic Technology team includes leading computer forensic
experts in the Australia and Asia-Pacific region. Whether it be
reviewing electronic evidence in an intellectual property theft
matter or eDiscovery services, we aim to provide a complete
solution for our clients. From the issues raised by APRA, we can
see that these risks do not only apply to financial institutions
but to all organisations that use shared computer services. As
technology continuously evolves, organisations need to constantly
weigh up the benefits, be aware of the risks and manage them
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
This newsletter includes links to recent documents relating to superannuation, funds management & financial services.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).