Regulator warns Australia's finance industry on cloud risks

By Brett Winterford on Nov 16, 2010 4:56 PM
Filed under Strategy
 

APRA's cloud computing fears published in open letter.

Australian banking regulator APRA has written an open letter to the financial services industry, urging executives to view cloud computing as a new form of outsourcing or offshoring that requires the regulator's tick of approval.

The rise of cloud computing has - as formerly expressed by CSC chief technology officer Bob Hayward - "caught the regulator by surprise."

Earlier this year the regulator stepped in to apply pressure on one wealth management firm that had endeavoured to migrate its CRM system to Salesforce.com, hosted in Singapore.

Today's letter [PDF] - first reported on technology news site Delimiter - reinforced APRA's view that cloud computing is still untested technically and legally.

The regulator said organisations migrating services such as messaging and calendaring, collaboration and CRM to the cloud be concerned about serious risks to the business.

"While these applications may seem innocuous, the reality is that they may form an integral part of an institution's core business processes, including both approval and decision-making, and can be material and critical to the ongoing operations of the institution," APRA said in the letter.

"APRA has noted that its regulated institutions do not always recognise the significance of cloud computing initiatives and fail to acknowledge the outsourcing and/or offshoring elements in them," the letter said.

"As a consequence, the initiatives are not being subjected to the usual rigour of existing outsourcing and risk management frameworks, and the board and senior management are not fully informed and engaged.

"Regulated institutions are reminded that, under the prudential standards on outsourcing, they are required to consult with APRA prior to entering into any offshoring agreement involving a material business activity."

APRA expects that any outsourcing project that could hinder an organisation's ability to manage risks effectively or have a "significant impact on the institution's business operations" requires the regulator's approval.

Those wishing to embrace the cloud are required to undertake a "comprehensive risk assessment" around the type of service, the service provider and where it is located, and the "criticality and sensitivity of the IT assets involved."

"APRA has observed that, to date, assessments of cloud computing proposals typically lack sufficient consideration of these factors," the letter said.

The letter will prove a blow to U.S.-owned cloud computing providers such as Amazon's EC2, Salesforce.com, Microsoft's Azure and Google's App Engine - all of which to date are hosted elsewhere in Asia.

Copyright © iTnews.com.au . All rights reserved.


Regulator warns Australia's finance industry on cloud risks
3 comments in this discussion
"APRA is dead right in this instance. It shows that enterprises ignore regulatory requirements when they think there is a buck to be made (or saved), often by sending customer data into jurisdiction..."
By Ace
 
Tags
apra, cloud, letter, data sovereignty, regulation, financeit, banking, cloud computing
Related Articles
Breaking Stories
 
Readers of this article also read...
 
Comments: 3
kristofferjon
Nov 17, 2010 8:26 AM
 It seems a little disingenuous to claim that cloud computing has caught anyone surprise!

And to say that cloud computing isn't tested is also a long bow. Cloud computing has been very well tested worldwide for a few years now.

Time to get with the program guys.
turtl
Nov 17, 2010 9:40 AM
 As usual it's all about the why it "can't be done" rather what can and how. As per the previous comment, the technology has been around for an adequate period of time to validate it's value and capability.

It also fails to recognised the growth on onshore capability in cloud services, to address to scare position of offshoring and outsourcing our data. It also doesn't give credit to the technical skill, knowledge and capability within organisations considering cloud technology and services.

In my opinion all the APRA statement highlights is their technological ignorance and lack of knowledge on what cloud really is, and what is available in the market to address the issues which underlie these regulatory statements.
Ace
Nov 17, 2010 12:32 PM
 APRA is dead right in this instance. It shows that enterprises ignore regulatory requirements when they think there is a buck to be made (or saved), often by sending customer data into jurisdictions outside Australian control or influence. In many places, particularly Asia, and growing in the US, the government has access to all data held by network access providers including email, hosted data, sms, telephone calls etc etc. They do what they feel like with this data, including influencing business negotiations etc. If you have never operated in Asia, you might be surprised at just how much data the governments there capture. Have you ever queried a call on last months telephone bill in Australia only to be told a minute later that 'it certainly sounds like you'? In Singapore, they'll even play it back to you! Scary.

When you start a business in Australia, there a rules you have to follow to ensure a) you operate the company lawfully, b) your company is solvent and c) you respect privacy of data to retain, both your own and your customers. Enterprises have to follow even tight regulations.

Public clouds are not typically utilised by enterprises or government. As such, it would be surprising to see such organisations using OS clouds for anything significant or anything including their own or their customers data.

The whole thing has absolutely nothing to do with with "Cloud computing has been very well tested worldwide". The problem is not technical.

However @turtl, you would have to say the regulators statement will be very useful to organisations in Australia selling local cloud services. You could almost call the timing of the statement rather fortuitous!
Comments have been disabled for this article.
 
 
Top Stories
NBN Co could miss revised June fibre targets
NBN Co could miss revised June fibre targets
Analysis: Cutting it fine in the race to the line.
 
Review: Sydney's Opal smartcard
Review: Sydney's Opal smartcard
It's no Oyster card.
 
Rackspace puts price premium on Aussie public cloud
Rackspace puts price premium on Aussie public cloud
At least 17 percent more compared to US instances.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

iTnews Academy: Microsoft Windows Server 2012 - Hyper-V
iTnews Academy: Microsoft Windows Server 2012 - Hyper-V
Interview: Australia's 'cloud-last' policy is dangerous.
Interview: Australia's 'cloud-last' policy is dangerous.
Interview: Vivek Kundra on Australia's 'cloud last' policy
Bankwest builds continuous delivery capability
Bankwest builds continuous delivery capability
To automatically deploy test/dev sandboxes by mid-year.
Veterans' Affairs sets sights on modernisation
Veterans' Affairs sets sights on modernisation
Data safe with Human Services, CIO says.
Citi Australia drops platform customisations
Citi Australia drops platform customisations
Technology chief shifts focus from building to leveraging systems.
VicRoads restructures IT team
VicRoads restructures IT team
Department moves to align with industry benchmarks.
Zurich Australia extends IT team offshore
Zurich Australia extends IT team offshore
Malaysian staff served from Australian data centres.
Leigh Berrell - Utilities CIO of the Year
Leigh Berrell - Utilities CIO of the Year
Yarra Valley Water CIO Leigh Berrell accepts his Benchmark Award for Utilities CIO of the Year.
Wayne McMahon - Retail CIO of the Year
Wayne McMahon - Retail CIO of the Year
Domino's Pizza CIO Wayne McMahon accepts his Benchmark Award for Retail CIO of the Year.
Inside Perpetual's ongoing IT transformation
Inside Perpetual's ongoing IT transformation
CIO Jenny Levy discusses how outsourcing will help the firm "simplify, refocus and grow".
Managing Complexity - Defence's Daniel McCabe
Managing Complexity - Defence's Daniel McCabe
Daniel McCabe, Assistant Secretary of Australia's Department of Defence, provides the audience at the iTnews Data Centre Strategy Summit with a deep dive into the organisation's data centre consolidation program.
How Facebook designed the data centre from scratch - Marco Magarelli
How Facebook designed the data centre from scratch - Marco Magarelli
The full keynote by Facebook data centre architect Marco Magarelli at the Australian Data Centre Strategy Summit. Magarelli details the design considerations behind the social network's Prineville, Oregon; North Carolina and Luleå, Sweden data centres.
Modernising Legacy Data Centres - Telstra's Jon Curry
Modernising Legacy Data Centres - Telstra's Jon Curry
Telstra general manager of managed data centres Jon Curry guides the audience at the iTnews Australian Data Centre Summit through the build of the telco's Clayton, Victoria data centre.
NSW Government launches NABERS data centre rating tools
NSW Government launches NABERS data centre rating tools
Matthew Clark from the NSW Department of Environment guides facilties managers through the details of the new NABERS data centre energy rating tool at the Australian Data Centre Strategy Summit.
NABERS launch panel: Australian Data Centre Strategy Summit
NABERS launch panel: Australian Data Centre Strategy Summit
Matthew Clark (NSW Dept of Environment), Greg Boorer (Canberra Data Centres), Glenn Allan (National Australia Bank), Mike Andrea (Strategic Directions) and Bob Sharon (Green Global Consulting) discuss the impact of the NABERS data centre rating.
Judges notes: Fortescue Metals [The Benchmark Awards]
Judges notes: Fortescue Metals [The Benchmark Awards]
iTnews' panel of judges discuss Fortescue Metals 'New World of Work" project, one of three shortlisted finalists for the Industrials category of the CIO Benchmark Awards.
Judges notes: Retail [The Benchmark Awards]
Judges notes: Retail [The Benchmark Awards]
iTnews' panel of judges discuss the shortlisted finalists for the Retail category of the CIO Benchmark Awards.
Judges notes: Pacific Aluminium [The Benchmark Awards]
Judges notes: Pacific Aluminium [The Benchmark Awards]
iTnews' panel of judges discuss Pacific Aluminium's lightning fast service desk refresh, one of three shortlisted finalists for the Industrials category of the CIO Benchmark Awards.
Judges notes: Domino's Pizza [The Benchmark Awards]
Judges notes: Domino's Pizza [The Benchmark Awards]
iTnews' panel of judges discuss Domino's Pizza's shift to hosted services, one of three shortlisted finalists for the Retail category of the CIO Benchmark Awards.
Judges notes: McDonald's Australia [The Benchmark Awards]
Judges notes: McDonald's Australia [The Benchmark Awards]
iTnews' panel of judges discuss McDonald's Australia's new self-service portal for employees, one of three shortlisted finalists for the Retail category of the CIO Benchmark Awards.
Latest Comments
Powered by Disqus
Polls
Will you quit any cloud services in light of PRISM?
   |   View results
Yes
  62%
 
No
  38%
TOTAL VOTES: 71

Vote
view previous polls »