The Australian Prudential Regulation Authority (APRA) information paper on outsourcing involving shared computing services

In July APRA released an information paper detailing its views on prudential risks and issues relating to arrangements involving “shared computing services”, including (importantly for many APRA-regulated entities) cloud arrangements. APRA released the information paper because of the “increase in the volume, materiality and complexity of outsourcing arrangements involving shared computing services” raised with APRA as part of the consultation and notification requirements under CPS 231 and SPS 231 (which applies to registrable superannuation entities). The information paper distinguishes between (a) arrangements which involve the sharing of IT assets (including hardware, software and/ or data storage) with other parties and (b) ‘private cloud’ arrangements.

Depending on the response of APRA-regulated entities to the paper, it is unlikely that in the short term APRA will produce a prudential standard that applies specifically to shared computing services, including cloud services. These types of technologies and service delivery avenues continue to develop and evolve. As a result, it would not surprise if APRA and other similar regulators around the world are reticent to produce rigid and prescriptive requirements that could be obsolescent on release. However, if entities take no heed of APRA’s observations and suggested practice recommendations, APRA might look to impose an increased level of prescriptive regulation coupled with greater oversight and enforcement.

Cloud computing in Hong Kong

The Hong Kong Privacy Commissioner for Personal Data (PCPD) recently published an information leaflet outlining the application of the Personal Data (Privacy) Ordinance (the PDPO) for data users looking to engage cloud providers. The information leaflet outlines the data protection principles (DPPs) which apply in the context of cloud services, and highlights the particular characteristics of cloud computing that give rise to risks from a privacy perspective.

While there are obvious benefits in engaging a cloud service provider, it can also present a loss of control over the processing and storage of personal data rendering it ‘higher risk’ from a privacy perspective. This does not mean that cloud services should not be used, but it does mean that appropriate steps should be taken to address these risks. Click here for further information.

Cyber risk: What does the future hold?

Cyber insurance is one of the hottest topics in insurance right now, affecting small businesses and governments alike. Jacques Jacobs and Peter Jones, both partners at law firm DLA Piper Australia, tell us how the latest legal developments will affect the space going forward. 

Cyber risk: What does the future hold?

Cyber insurance is one of the hottest topics in insurance right now, affecting small businesses and governments alike.

Click here to view the video