Regulator warns Australia's finance industry on cloud risks

By on
Regulator warns Australia's finance industry on cloud risks

APRA's cloud computing fears published in open letter.

Australian banking regulator APRA has written an open letter to the financial services industry, urging executives to view cloud computing as a new form of outsourcing or offshoring that requires the regulator's tick of approval.

The rise of cloud computing has - as formerly expressed by CSC chief technology officer Bob Hayward - "caught the regulator by surprise."

Earlier this year the regulator stepped in to apply pressure on one wealth management firm that had endeavoured to migrate its CRM system to, hosted in Singapore.

Today's letter [PDF] - first reported on technology news site Delimiter - reinforced APRA's view that cloud computing is still untested technically and legally.

The regulator said organisations migrating services such as messaging and calendaring, collaboration and CRM to the cloud be concerned about serious risks to the business.

"While these applications may seem innocuous, the reality is that they may form an integral part of an institution's core business processes, including both approval and decision-making, and can be material and critical to the ongoing operations of the institution," APRA said in the letter.

"APRA has noted that its regulated institutions do not always recognise the significance of cloud computing initiatives and fail to acknowledge the outsourcing and/or offshoring elements in them," the letter said.

"As a consequence, the initiatives are not being subjected to the usual rigour of existing outsourcing and risk management frameworks, and the board and senior management are not fully informed and engaged.

"Regulated institutions are reminded that, under the prudential standards on outsourcing, they are required to consult with APRA prior to entering into any offshoring agreement involving a material business activity."

APRA expects that any outsourcing project that could hinder an organisation's ability to manage risks effectively or have a "significant impact on the institution's business operations" requires the regulator's approval.

Those wishing to embrace the cloud are required to undertake a "comprehensive risk assessment" around the type of service, the service provider and where it is located, and the "criticality and sensitivity of the IT assets involved."

"APRA has observed that, to date, assessments of cloud computing proposals typically lack sufficient consideration of these factors," the letter said.

The letter will prove a blow to U.S.-owned cloud computing providers such as Amazon's EC2,, Microsoft's Azure and Google's App Engine - all of which to date are hosted elsewhere in Asia.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?