The Australian Prudential Regulation Authority (APRA) is concerned that financial institutions are too optimistic about the benefits of cloud computing and have overlooked the associated risks that exist with these technologies.

APRA, which regulates the financial sector, has released an Information Paper expressing their concerns regarding weaknesses in cloud outsourcing arrangements where IT assets are shared between entities (shared computing services). This is specifically differentiated from those services where IT assets are dedicated to a single entity. APRA states that while this has occurred for many years, there has been an increase in the 'volume, materiality and complexity' of these arrangements, including the sharing of software across industries. Its concern is not the maturing technology itself, but what it sees as a lack of commensurate increase in risk management considerations.

These concerns do not seem to be shared by Australian businesses. An ABS survey released in July 2015 showed that nearly 60% of companies stated that there were no factors which limited or prevented the use of paid cloud computing. The top five reasons for not adopting paid cloud computing services were:

Several other weaknesses identified in APRA's review of these outsourcing arrangements include:

  • inadequate consideration of controls to ensure data security
  • limited due diligence and assurance activities undertaken
  • impediments placed on APRA's access rights to the service provider.

Under APRA's prudential outsourcing standards CPS 231 and SPS 231, regulated entities are required to notify APRA within 20 business days if their material business activities are being outsourced. If outsourcing arrangements are offshore, APRA-regulated institutions are required to consult with APRA prior to entering into these agreements. This is to ensure entities have fully understood and able to address the heightened risks.

What makes shared computing services a concern to APRA is not the maturing technology itself, but the lack of risk management and governance to protect the security of the data. In a further sign that this topic may continue to be scrutinised by APRA, earlier this year Bank of Queensland was forced to write off $10 million on their cloud-based customer relationship program system after they failed to meet operational and regulatory requirements.

Our Forensic Technology team includes leading computer forensic experts in the Australia and Asia-Pacific region. Whether it be reviewing electronic evidence in an intellectual property theft matter or eDiscovery services, we aim to provide a complete solution for our clients. From the issues raised by APRA, we can see that these risks do not only apply to financial institutions but to all organisations that use shared computer services. As technology continuously evolves, organisations need to constantly weigh up the benefits, be aware of the risks and manage them appropriately.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.