Catherine de Ruyter de Wildt reckons that APRA’s guidelines for outsourcing IT in the financial sector provide a great starting point for other industry sectors
In 2015, the Australian Prudential Regulatory Authority (APRA) released an information paper, Outsourcing Involving Shared Computing Services (including Cloud), intended as guidance for the banking and financial sectors.
In response, I published an article Managing the Risks of Operating in the Cloud, analysing the key points of the paper and making recommendations for its practical application for the Financial industry.
However, the financial regulator’s advice also offers sound, actionable advice for any organisation considering cloud services – or reviewing its existing cloud arrangements – in terms of understanding and managing the risk and compliance aspects associated with outsourcing ICT capabilities.
It’s a new frontier
In late 2014 and early 2015, APRA observed that many of the regulated entities, who had previously outsourced parts of their ICT capability already, were increasingly adopting a Cloud strategy.
However, the regulator also encountered many security and privacy risks and control weaknesses in the way these entities went about their Cloud journey. APRA rightfully saw that it needed to set some guidelines for Authorised Deposit-Taking Institutes (ADIs) to turn to.
In April 2015 the Australian Privacy Act was amended in accordance with global standards for the handling of personal information and the Privacy Commissioner launched new Australian Privacy Principles which determine how Australian organisations must store, host and provide access to personal data.
APRA’s information paper addressed a number of these principles, including data sovereignty and the concept that personally identifiable customer information must remain on-shore in Australia.
In the past year, the location of data storage has been a major focus and a number of global cloud providers now provide services which enable all data to be stored within Australian data centres.
As a result, Australian government and commercial enterprises are able to be compliant with data sovereignty requirements, even when hosting data with global cloud providers.
Capability drives Compliance
When analysing APRA’s guidance letter to write the article, what stood out was that its recommendations can all be met by applying sound management capabilities which Regulated Entities, and indeed most organisations, have in place already to be compliant with their relevant regulating bodies.
Rather than having to do more compliance work when wanting to adopt Cloud solutions, it’s about utilising what is in place already, and adapting those capabilities to deal specifically with the risks and unknowns associated with Cloud.
These include the management domains of risk, vendor management, business continuity, transformation, corporate governance, strategy and assurance.
And whether your organisation operates within the financial services sector or not, it’ll have these capabilities in place. Granted, the risk impacts, the specific vendors and their services, and your business strategy will differ across industries. However, the same principles of identify-assess-manage-review will still apply.
As such, most organisations will be able to meet the guidance provided by APRA in relation to managing the risks associated with outsourcing ICT capabilities, with relatively minor additional compliance related work.
The bottom line
APRA’s information paper provides practical and reasonable guidance on how best to manage the transition and use of Cloud.
It builds on the principle of having adequate management disciplines to support an organisation’s overall risk and assurance capabilities. And these management disciplines apply across the board, not just to banks, insurers and other financial entities.
APRA’s information paper is a good guide for other industries to adopt, whether they are ADI’s or not.
Ultimately, it comes down to the standard of risk that your organisation is willing, and able, to accept.
Whatever your industry, you must determine your specific risk factors – then build appropriate policies and underlying rules when considering which services and data you push to the cloud, and who with.
- Digital Transformation: Driving innovation, creating adaptability and developing resilience
- Five tips to get clean about compliance
- The 3 realities of ICT security all senior executives must accept
- Managing the Risks of Operating in the Cloud
- Outsourcing Involving Shared Computing Services (including Cloud)
About the Author
Catherine de Ruyter de Wildt leads CSC’s Governance, Risk & Compliance consulting practice in Australia and New Zealand, working with business leaders to develop and implement risk and compliance management frameworks and support the execution of strategic programs. Catherine has both a consulting and banking background, having worked for one of the global Big Four consulting organisations, as well as for one of Australia’s big four banks.