Australia: APRA provides fresh guidance on cloud services

Introduction

The Australian Prudential Regulation Authority (APRA) has published an information paper¹ that sets out some of the prudential considerations and key principles that APRA-regulated entities should consider in the context of outsourcing arrangements involving "shared computing services", which include cloud services. In this legal update we review the information paper and highlight some of APRA's concerns on the use of cloud services by APRA-regulated entities, the first such guidance since 2010. Whilst APRA acknowledges that cloud services continue to evolve so they could potentially address the compliance requirements of regulated entities, it remains unconvinced that public cloud is suitable to host critical systems.

Background

The prudential standards established by APRA relating to outsourcing (CPS 231, SPS 231 and HPS 231) impose a number of obligations on regulated entities in relation to the risk management of outsourcing arrangements and offshoring arrangements. In November 2010, APRA released an open letter to the industry, noting the increasing use of "cloud computing based services" by regulated entities. The letter expressed APRA's concerns that regulated entities were not recognising the significance of cloud computing initiatives when dealing with the outsourcing and offshoring elements inherent in such initiatives. The 2010 letter also reminded regulated entities of their obligations under the prudential standards, and that those standards applied to outsourcing involving the use of cloud computing services.

Since 2010, APRA has observed an increasing volume and complexity of the use of cloud services, and noted weaknesses in a number of these arrangements. The latest information paper published by APRA outlines these observed weaknesses, and provides further guidance on the considerations that APRA-regulated entities should consider when assessing the use of cloud services. The information paper supersedes the 2010 letter.

What hasn't changed

The information paper reaffirms the need for regulated entities to implement proper risk management practices when considering the use of cloud services, and to ensure that the use of cloud services does not compromise APRA's abilities to fulfil its duties as the prudential regulator. The paper does not change the risk-based approach that regulated entities should follow when considering the use of cloud services. APRA noted a number of low risk examples in the paper for which the use of cloud services may be suitable.

The paper also confirmed APRA's views that the risk management practices and techniques for cloud services have not reached "a level of maturity commensurate with usages having an extreme impact if disrupted". Accordingly, APRA remains unconvinced that public cloud environments are suitable for use to host critical systems of record.

Focus on shared computing services

Unlike the 2010 letter, the information paper is focused on the use of "shared computing services", rather than "cloud computing" specifically. This change reminds regulated entities that the principles and considerations apply not only to traditional cloud based services, but also to all outsourcing arrangements that involved shared infrastructure (such as data centres). APRA noted in the paper that the use of shared computing services is not particularly new (such as shared physical infrastructure), and that similar risk management principles should apply to higher-ordered shared computing services (such as cloud computing).

Examples of observed weaknesses

The information paper illustrates a number of weaknesses observed by APRA in the risk management of the use of shared computing services, across different dimensions. Significant ones include:

• Strategy and governance: Business cases and proposals for the use of shared computing services are driven solely by costs and benefits, and do not provide adequate visibility of associated risks to the board and senior management.
• Selection process: Cloud solutions are selected without being evaluated by traditional risk management and due diligence frameworks, particularly with respect to risk, security and assurance functions. APRA noted that regulated entities should consider the use of Australian hosted solutions, and solutions that are used by other parties with comparable security requirements and risk profiles, as a means of reducing these inherent risks.
• Transition: Focus on "fast track" transition rather than a more measured approach.
• Risk assessment and security: Limited due diligence, with heavy reliance on provider or third party attestation. Inadequate consideration of the security risks for sensitive data and critical IT assets. Inadequate consideration of the security controls required to protect the IT assets.
• Ongoing management of provider: Inadequate consideration of how the provider will be managed on an ongoing basis.
• Business disruption: Increased reliance placed on resilience, without adequate consideration about the point-in-time recoverability of the services.
• Assurance: Reliance on key control testing alone for assurances, without a more robust assurance and testing framework.

Our observations on the information paper

In our view, the comments expressed by APRA in the information paper are not surprising. The information paper confirms APRA's long held views that "cloud computing" is no different from any other form of material outsourcing, and that regulated entities should apply the same risk management principles and approaches as for other types of material outsourcing. APRA's views in Australia are also broadly reflective of our experience with financial regulators in other jurisdictions.

The challenge for the regulated entities and cloud service providers is that these traditional risk management principles and techniques are generally inconsistent with the go-to-market strategies of public cloud offerings, as illustrated by the weaknesses observed by APRA. Until these issues are addressed, the use of public cloud services by regulated entities for critical business infrastructure will likely remain difficult.

However, the information paper also acknowledged that the use of shared computing services is expected to evolve. There may be scope for cloud service providers to offer niche products with more mature risk management approaches and mechanisms tailored for regulated entities which address the concerns of APRA.

Footnote

¹ Outsourcing involving shared computing services (including Cloud), APRA, July 6, 2015