Clik here to view.
Regulator warns Australia's finance industry on cloud risks
November 16 2010
http://www.itnews.com.au/news/regulator-warns-australias-finance-industry-on-cloud-risks-238817
APRA's cloud computing fears published in open letter.
Australian banking regulator APRA has written an open letter to the financial services industry, urging executives to view cloud computing as a new form of outsourcing or offshoring that requires the regulator's tick of approval. The rise of cloud computing has - as formerly expressed by CSC chief technology officer Bob Hayward - "caught the regulator by surprise." Earlier this year the regulator stepped in to apply pressure on one wealth management firm that had endeavoured to migrate its CRM system to Salesforce.com, hosted in Singapore.
Today's letter [PDF] - first reported on technology news site Delimiter - reinforced APRA's view that cloud computing is still untested technically and legally. The regulator said organisations migrating services such as messaging and calendaring, collaboration and CRM to the cloud be concerned about serious risks to the business. "While these applications may seem innocuous, the reality is that they may form an integral part of an institution's core business processes, including both approval and decision-making, and can be material and critical to the ongoing operations of the institution," APRA said in the letter.
"APRA has noted that its regulated institutions do not always recognise the significance of cloud computing initiatives and fail to acknowledge the outsourcing and/or offshoring elements in them," the letter said. "As a consequence, the initiatives are not being subjected to the usual rigour of existing outsourcing and risk management frameworks, and the board and senior management are not fully informed and engaged. "Regulated institutions are reminded that, under the prudential standards on outsourcing, they are required to consult with APRA prior to entering into any offshoring agreement involving a material business activity."
APRA expects that any outsourcing project that could hinder an organisation's ability to manage risks effectively or have a "significant impact on the institution's business operations" requires the regulator's approval. Those wishing to embrace the cloud are required to undertake a "comprehensive risk assessment" around the type of service, the service provider and where it is located, and the "criticality and sensitivity of the IT assets involved." "APRA has observed that, to date, assessments of cloud computing proposals typically lack sufficient consideration of these factors," the letter said. The letter will prove a blow to U.S.-owned cloud computing providers such as Amazon's EC2, Salesforce.com, Microsoft's Azure and Google's App Engine - all of which to date are hosted elsewhere in Asia.
Privacy and Security Issues
27 July 2015
On 6 July 2015, APRA released an Information Paper1 on outsourcing of shared computer services including cloud computing. APRA is of the view that cloud computing is not secure or mature enough to manage the risks involved, such as breach of confidentiality or an inability to access information. However it expects the use of shared computing services to continue to evolve, as the maturity of risk management also evolves. Where shared services are being used for highly sensitive or highly critical IT assets APRA encourages regulated entities to approach these services with caution and consult with APRA prior to entering into the agreement, even if offshoring is not involved. APRA’s media release2 contains further information.
Endnotes
- Outsourcing involved shared computing services (including cloud).
- APRA releases information paper on outsourcing involving shared computing services, including cloud.