Australian financial regulator issues public cloud risk warning

The APRA said (17-page / 443KB PDF) sharing computing services with others can benefit financial services companies but that it also brings with it risks. It said there is "heightened inherent risk" of financial services companies sharing "highly critical and/or sensitive IT assets" with others where this could result in "an increased likelihood of a disruption or where a disruption would result in a significant impact".

An example of this would be where the regulated firms use public cloud services also utilised by "non-financial industry entities", it said.

The APRA said that "hosting systems of record holding information essential to determining obligations to customers (such as customer identity, current balance/benefits and transaction history)" on shared IT assets has the potential to have "an extreme impact" if those arrangements result in disruption to those systems. In this context, disruption could range from breaches of system and data confidentiality or integrity to outages, it said.

The APRA said industry does not appear ready to host such systems in the public cloud.

"It is not readily evident that risk management and mitigation techniques for public cloud arrangements have reached a level of maturity commensurate with usages having an extreme impact if disrupted," the APRA said. "Extreme impacts can be financial and/or reputational, potentially threatening the ongoing ability of the APRA-regulated entity to meet its obligations."

Technology law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said: "The regulatory position in Australia, as well as many of the market conditions, is similar to those in the UK. Given guidance from around Europe, North America, Asia and now Australia, it is clear that regulators around the globe share similar concerns."

"The concerns often come down to the fact that exercising traditional 'oversight and control' is neigh on impossible in the world of public cloud; firms in the UK are picking and choosing how public cloud is deployed as they are generally aware of the challenges around it, but even if public cloud is only a small part of the overall system, it is increasing as cost pressures mount on the industry and it could be the weak link. In the UK, the stakes are being raised higher with the senior managers regime leading to increased personal responsibility – this would include responsibility for decisions to use public cloud offerings," he said.

Financial services companies in Australia should not use shared computing services, such as the public cloud, without being able to demonstrate that they could "continue operations and meet obligations following a loss of service", that data quality and security can be preserved and that legal and prudential obligations are met, the APRA said.

There must also be no "jurisdictional, contractual or technical considerations" which could prevent the APRA conducting its regulatory duties, including gaining "timely access to documentation and data/information", it said.

The APRA needs to be told when financial services companies outsource "material" business activities. The notification requirement applies where the outsourcing concerns any activity which "has the potential, if disrupted, to have a significant impact on [a regulated financial services company's] business operations or its ability to manage risks effectively". Notification could be triggered where those regulated businesses enter into agreements that involve the sharing of IT assets, the APRA said.

"It would be prudent for an assessment of materiality to consider both criticality and sensitivity, taking into account the IT assets involved and the associated business processes impacted," the regulator said. "This would include consideration of critical and/or sensitive IT assets which are accessible from the shared computing service and the projected and/or aggregated materiality of the arrangement."

The APRA said it would encourage firms to consult with it where they are considering using public cloud services.

Financial services companies need to deploy measures to mitigate risks posed from outsourcing to a public cloud provider, from due diligence checks to having a system of "appropriate governance authority" and testing out their transition on "low risk initiatives".

"It is important that the strength of the control environment is commensurate with: the risks involved; the sensitivity and criticality of the IT assets involved; and the level of trust that will be placed on the shared computing service environment," the APRA said. "An understanding of the nature and strength of controls required is typically achieved through initial and periodic (or on material change) assessments of design and operating effectiveness (including alignment with industry agreed practices)."

Risk management measures should also include bolstering recovery capabilities in case the use of shared IT assets does lead to disruption, it said.

"Use of shared computing services by APRA-regulated entities is expected to continually evolve, along with the maturity of the risk management and mitigation techniques applied," the APRA said. "Hence, APRA encourages ongoing dialogue to ensure prudent practices are in place and risks are adequately mitigated when regulated entities seek the advantages that shared computing services can realise. Prudent practices would normally include a well-considered strategy, effective governance arrangements, appropriate consideration of IT risk (including security and recovery) and sufficient assurance mechanisms."