The Australian Prudential Regulation Authority (APRA) has advised all authorised deposit-taking institutions (ADIs), friendly societies, general insurers, life insurers and superannuation trustees to be aware of the need for proper risk and governance processes for all outsourcing and offshoring arrangements, including cloud computing.
APRA defined cloud computing as services such as mail and instant messaging, calendar scheduling, collaboration (including workflow) applications and CRM solutions.
These processes can form an integral part of core business processes and regulated institutions might fail to acknowledge the outsourcing or offshoring elements in them and therefore not subject them to the usual rigour of existing frameworks, APRA stated.
Key concerns bodies needed to address were the ability to continue operations and meet core obligations following a loss of cloud computing services, confidentiality and integrity of sensitive data and information and compliance with legislative and prudential requirements.
APRA requested that bodies consult on offshoring agreements before entering into them and provide the regulator with a comprehensive risk assessment.
