Over the past decade, cloud computing has had a significant impact on the financial sector, globally. It has helped the banking sector to be cost-effective, reliable, and productive. Cloud infrastructures have reduced the capital expense of buying and setting up hardware and software at data centers. This has allowed organizations of all sizes and levels to utilize elastic and virtually limitless data and network storage. However, together with these benefits, cloud computing also presents profound risks. Security in the cloud servers is a significant risk. Financial institutions must maintain the confidentiality and security of the customer’s financial information and internal company data.
Recognizing these risks and thus the momentum at which cloud computing is impacting the financial sector, the Australian Prudential Regulation Authority (APRA) has called on regulated entities to implement comprehensive cloud-adoption strategies. These strategies focus on risk assessment, regular assurance processes, and efficient governance.
Who is APRA?
APRA is an independent statutory authority that oversees institutions across banking, insurance, and superannuation and promotes financial system stability in Australia. It is the prudential regulator of the Australian financial services industry. In July 2015, APRA published an information paper titled’ Outsourcing involving shared computing services. The article focuses on the fundamental principles and prudential considerations that should be considered for utilizing cloud computing services.
In February 2018, Australia’s Notifiable Data Breach Scheme legislation became a law which introduced new reporting guidelines and penalties for organizations governed by the Australian Privacy Act. In response to this, APRA updated its July 2015 paper. APRA stated that this was in response to its observation of the growing usage of cloud computing services by APRA-regulated organizations and the associated rise in risk and vulnerabilities. The update also specified the key requirements that APRA-regulated entities must implement and maintain for outsourcing with regards to cloud computing services. Furthermore, the update ups the bar regarding APRA’s view of cloud practitioners.
What is new in the APRA Guidelines?
Risk Assessment and APRA’s Engagement
Chapter 1 talks about understanding and managing risks. The APRA guidelines have classified these risks into three broad categories – low, heightened, and extreme.
- Low inherent risks are those disruptions in arrangements wherein the confidentiality, integrity, or availability of systems and data are compromised. These risks present a low or negligible impact on business operations and the ability of the regulated entity to satisfy its obligations. For such arrangements, APRA stated that it would not expect an APRA-regulated entity to consult with them before entering the arrangement. Examples of such arrangements include non-productive environments or websites that deliver publicly available information. They also include applications or data stores that are classified by an APRA regulated entity to have low criticality and sensitivity.
- Heightened risk arrangements are those that involve critical or sensitive IT assets. In this case, disruptions can have a profound impact on the business operations of an APRA-regulated entity to meet its obligations. For these arrangements, APRA states that it would expect to be consulted after the entity has completed its internal governance process.
- Extreme inherent risk arrangements are ones that, if disrupted, can cause an extreme impact on the APRA-regulated entity, both financially and reputationally. It might threaten the ongoing ability of the entity to meet its obligations. For such arrangements, the APRA encourages earlier engagement, as these arrangements will be subjected to a higher level of scrutiny.
Risk Management Considerations.
Chapter 2 outlines the issues that APRA-regulated entities should consider when utilizing cloud computing services.
- The chapter talks about the strategy for risk management when an APRA-regulated entity is considering the use of cloud computing services. It states that the entity should take comprehensive steps towards the planning of the target IT environment. APRA also recommends considering an organizational change.
- The outsourcing governance of the APRA-regulated entity must highlight its decision-making and oversight responsibilities and address the roles of the board members and senior management. These members should be kept informed of the project status and emerging risks or issues to the assets. These members are referred to as the ‘appropriate governance authority.’
- The selection of a solution involving cloud computing must include independent assessments besides the attestations of the provider and references.
- The outsourcing standards by APRA make it imperative for APRA-regulated entities to include an APRA-access clause in their outsourcing agreements. This should include APRA getting access to documentation and information as well as reserving the right for APRA to conduct on-site visits to the service provider.
- There should be detailed controls in place to protect information assets. This should also include assets managed by a third party.
- There should be robust mechanisms in place to respond to security incidents. These mechanisms should be comprehensive and cover all relevant stages of an incident, including detection to post-incident review as well as notifying the key stakeholders and law enforcement.
- APRA-regulated entities must notify APRA in case of a security incident of any magnitude in not more than 72 hours. It is also mandatory for the APRA-regulated entity to notify APRA within ten business days if they become aware and identify the information security control weakness.
In short, the APRA-regulated entities must demonstrate the following:
- They should have the ability to continue operations and meet obligations, even in case of any disruption.
- They must ensure the security of critical and sensitive data.
- They must comply with the legislative and prudential requirements.
- Absence of jurisdictional, contractual, or technical considerations that may inhibit APRA’s ability to fulfill its duties as a prudential regulator, including impediments to timely access to documentation and data/information.