The Australian Prudential Regulation Authority (APRA) has released its updated guidance: Outsourcing involving cloud computing services (Guidance), which provides APRA-regulated entities with best-practice guidance to assist those entities in mitigating the risks associated with the use of cloud-based IT services (Cloud Services).The Guidance categorises Cloud Services into three broad categories denoting inherent levels of risk (low, heightened and extreme) according to how the technology is to be utilised. It explains APRA's endorsed best-practice approach to customers' internal processes and practices in respect of the procurement of Cloud Services in each risk category. Broadly, the greater the risk level ascribed to the cloud arrangements procured by an entity, the more involved APRA expects to be in the risk management process followed by that entity.
The Guidance also identifies potential problem areas for regulated entities to identify and address in relation to existing and future Cloud Services, including:
- Proposals for Cloud Services driven by cost considerations, which may not adequately address the customer's specific risk profile;
- Fast-tracked transitions to Cloud Services with an inadequate focus on data migration and transition;
- Inadequate ongoing oversight and governance processes; and
- Inadequate contingency plans for disruption and availability issues.
The Guidance goes on to suggest measures to address these potential problems, such as the conducting of due diligence commensurate with the criticality and/or sensitivity of IT assets, and, where entities are tasked with designing the operating and/or security models for Cloud Services, designing these models from the perspective that the cloud environment is capable of being compromised.
As cloud technology continues to advance and usage grows, APRA urges regulated entities to assess the adequacy of their internal risk management practices in relation to the use of Cloud Services. Despite the benefits of utilising outsourced cloud-based solutions, APRA notes that availability issues and disruptions to Cloud Services may have material consequences for customers, such as interruption to business operations and difficulties in accessing critical information.
Further, Cloud Services may carry an increased risk in terms of the security and confidentiality of a customer's information (which, in the context of APRA-regulated entities, will most often include Personal information). To this end, customers should ensure that the back-up and encryption practices of its cloud providers are adequate and accord with industry best practice.
APRA encourages regulated entities to review and, where necessary, revise their risk management practices in relation to Cloud Services, with a view to helping those entities ready themselves for the formalisation of the Guidance into new prudential standards and practice guides.