The Australian Prudential Regulation Authority (APRA) has released updated information on the use of shared computing services, such as cloud, by APRA-regulated entities.
The new Information Paper, Outsourcing involving cloud computing services, updates information on prudential considerations and key principles issued to APRA-regulated entities in July 2015. It has been developed in response to the growing use of the cloud by APRA-regulated entities for higher inherent risk activities, and observed areas of weakness in how entities approach and manage these risks. In addition, many applicants for Restricted ADI licences seek to use the cloud for critical systems.
The new paper acknowledges that advancements in cloud computing service offerings over the past three years have improved the ability of APRA-regulated entities to manage the risks involved. However, it also emphasises the need for entities to be mindful of the differing levels of responsibility for operating and managing these arrangements.
APRA-regulated entities should note that while this information paper does not constitute formal regulation, APRA intends to incorporate the better practices described in the paper into prudential standards and practice guides in the future. Any such changes will be subject to APRA’s normal processes of consultation.
Copies of the publication are available on APRA’s website at: https://www.apra.gov.au/apra-information-papers