APRA updates cloud guidance for banks

Australia’s financial sector regulator has published the first revision to its cloud guidance since 2010, issuing a new list of complaints and demands to the banking industry.

The Australian Prudential Regulation Authority has historically taken a risk-averse stance to cloud computing by financial services organisations.

Earlier this year the Bank of Queensland was forced to write off a $10 million Salesforce trial after it failed meet the regulatory standards required to move its information offshore.

APRA's 2010 letter to industry members made clear the regulator would treat the use of cloud services the same way it treats other outsourcing, meaning regulated entities would have to notify APRA within 20 business days of any new cloud deals, and would have to seek the regulator's approval prior to offshoring any “material” computing functions.

In its latest missive, which supersedes the 2010 letter, APRA has stood firm against the use of public cloud computing services for critical systems of record in the sector.

It has made clear that it would “question the appropriateness” of migrating core systems - whose compromise or failure would seriously disrupt business operations - to public cloud infrastructure.

“In light of weaknesses in arrangements observed by APRA, it is not readily evident that risk management and mitigation techniques for public cloud arrangements have reached a level of maturity commensurate with usages having an extreme impact if disrupted,” the new guidance states.

“APRA’s stance aligns with the position of other international financial regulators."

The updated guidance also reveals APRA expects financial entities to look at onshore-hosted cloud options as default before weighing up any overseas solutions.

The guidance also reveals that APRA considers the safest public cloud options to be those that are only used by other financial services or equally regulated organisations with similarly stringent security demands.

APRA claims its cloud apprehension stems from deficiencies in the way some financial services organisations assess and manage cloud solutions.

As part of a long list of “observed weaknesses” amongst industry members, it says cloud proposals to the board often display an optimism bias, downplaying risk, and that IT advocates are at times “driven solely by cost”.

APRA suggested that in the haste to get cloud solutions in place, IT managers have been prone to bypass established risk management frameworks and skip consulting their risk assurance colleagues.

The regulator also said it had observed evidence of cloud proposals that underestimated the sensitivity of data, failed to properly address insider threats, gave inadequate consideration to how encryption keys for data secured in transmission were themselves secured, and failed to properly sterilise data used in test and dev environments.

Despite its tough stance, APRA insisted it wanted to keep the cloud dialogue open with industry members.

“[Cloud] utilisation by APRA-regulated entities is expected to continually evolve, along with the maturity of the risk management and mitigation techniques applied," policy executive Sarah Goodman wrote in a letter introducing the new framework.

“Hence, APRA continues to encourage ongoing dialogue with industry to ensure prudent practices are in place and risks are adequately mitigated when regulated entities seek the advantages that shared computing services can realise."