[LINK] Banks Warned About Cloud Computing

Tom Worthington tom.worthington at tomw.net.au
Fri Nov 19 09:49:23 AEDT 2010

Australian financial institutions have been warned about the use cloud
computing by the Australian Prudential Regulation Authority. APRA issued
"Outsourcing and offshoring - Specific considerations when using cloud
computing services" (15 November 2010). This is in a letter to
"Authorised Deposit-taking Institutions", including banks, building
societies and credit unions. A similar letter was sent to superannuation

     15th November 2010
     To: ADIs, GIs, LIs (including Friendly Societies)

     Specific considerations when using cloud computing services

     Although the use of cloud computing1 is not yet widespread in the
financial services industry, several APRA-regulated institutions are
considering, or already utilising, selected cloud computing based
services. Examples of such services include mail (and instant
messaging), scheduling (calendar), collaboration (including workflow)
applications and CRM solutions. While these applications may seem
innocuous, the reality is that they may form an integral part of an
institution’s core business processes, including both approval and
decision-making, and can be material and critical to the ongoing
operations of the institution.

     APRA has noted that its regulated institutions do not always
recognise the significance of cloud computing initiatives and fail to
acknowledge the outsourcing and/or offshoring elements in them. As a
consequence, the initiatives are not being subjected to the usual rigour
of existing outsourcing and risk management frameworks, and the board
and senior management are not fully informed and engaged.

     Prudential concerns

     Accordingly, APRA wishes to emphasise the need for proper risk and
governance processes for all outsourcing and offshoring arrangements,
including cloud computing. Key prudential concerns that should be
addressed relate to the potential compromise of:

         * a financial institution’s ability to continue operations and
meet core obligations, following a
         * loss of cloud computing services;
         * confidentiality and integrity of sensitive (e.g. customer)
data/information; and
         * compliance with legislative and prudential requirements.

     Additionally, APRA’s ability to fulfil its duties as prudential
regulator should not be compromised.

     APRA’s prudential regulation

     While APRA has no specific prudential requirements in this area,
the principles in the following
     materials are pertinent to cloud computing:

         * Outsourcing: Prudential Standards APS231, GPS231 and LPS231
and Prudential Practice
           Guide PPG231;
         * Business Continuity: Prudential Standards APS232, GPS222 and
LPS 232, Guidance Notes
           AGN232 and GGN222 and Prudential Practice Guide PPG233; and
         * Management of security risk in information and information
technology: Prudential Practice
           Guide PPG234. Pertinent areas include risk management,
resilience and recovery (including
           offshore IT assets) and service provider management.

     Materiality and risk assessments

     Regulated institutions are reminded that, under the prudential
standards on outsourcing, they are required to consult with APRA prior
to entering into any offshoring agreement involving a material business
activity. The definition of ‘material’ refers to circumstances where
arrangements have the potential, if disrupted, to have a significant
impact on the institution’s business operations or its ability to manage
risks effectively (refer to the prudential standards on outsourcing for
further details).

     As part of their consultations with APRA, regulated institutions
are expected to provide a comprehensive risk assessment. This would
typically include an assessment of the specific arrangements underlying
the services offered, the service provider, the location from which the
services are to be provided and the criticality and sensitivity of the
IT assets involved. APRA would expect the risks to be periodically
reassessed in line with the institution’s risk management framework.

     In APRA’s view, both materiality and risk assessments necessitate a
detailed understanding of the extent and nature of the business
processes (including those pertaining to decision-making and support),
the technology architecture and the sensitive information (customer or
other) impacted by the outsourcing arrangement. APRA has observed that,
to date, assessments of cloud computing proposals typically lack
sufficient consideration of these factors.

     As part of its regular onsite review processes, APRA will continue
to examine outsourcing/offshoring arrangements of regulated
institutions, including those involving cloud computing, to ensure
prudential concerns are adequately addressed.

     Should you have any questions or comments, please contact ...

     Yours sincerely
     General Manager
     Supervisory Support Division

1     The term generally describes a delivery model where dedicated or
shared IT assets (software, hardware and data/information) are consumed
as a service. This can involve the provision of IT assets by a third
party located offshore.

Tom Worthington FACS CP HLM, TomW Communications Pty Ltd. t: 0419496150
PO Box 13, Belconnen ACT 2617, Australia  http://www.tomw.net.au
Adjunct Senior Lecturer, School of Computer Science, The
Australian National University http://cs.anu.edu.au/courses/COMP7310/
Visiting Scientist, CSIRO ICT Centre: http://bit.ly/csiro_ict_canberra

More information about the Link mailing list