6 July 2015
To: All APRA regulated entities
In response to feedback from industry, APRA has today published an Information Paper which outlines prudential considerations and key principles in relation to outsourcing involving shared computing services.
The term ‘cloud computing’ is used to describe a broad variety of arrangements. The Information Paper uses the term ‘shared computing services’ (whether labelled cloud or otherwise) to differentiate arrangements which involve the sharing of IT assets (including hardware, software and/or data storage) with other parties, from those where IT assets are dedicated to a single APRA-regulated entity.
The use of shared computing services represents a significant change to the way technology is employed. While shared computing services may bring benefits, such as economies of scale, they also bring associated risks.
Utilisation by APRA-regulated entities is expected to continually evolve, along with the maturity of the risk management and mitigation techniques applied. Hence, APRA continues to encourage ongoing dialogue with industry to ensure prudent practices are in place and risks are adequately mitigated when regulated entities seek the advantages that shared computing services can realise.
The Information Paper can be found on APRA’s website, and supersedes the November 2010 letter on specific considerations when using cloud computing services.
Should you have any questions or comments regarding the contents of the Information Paper, please contact Mr David Pegrem, Head of IT Risk, on (02) 9210 3324 or email firstname.lastname@example.org.
Executive General Manager
Policy & Advice Division