The head of Australia’s financial services regulator says it is taking a “more open stance on cloud usage” among banks.
Australian Prudential Regulation Authority chairperson Wayne Byres said in remarks prepared for the Curious Thinkers Conference in Sydney that “much has changed” since APRA in 2015 released its first information paper on the use of cloud services.
Three years ago, APRA “expressed reservations about the use the cloud for initiatives with heightened or extreme inherent risk,” Byres said.
Since then, however, “cloud service providers have strengthened their control environments, increased transparency regarding the nature of the controls in place, and improved their customers’ ability to monitor their environments”.
“APRA-regulated entities have also improved their management capability and processes for assessing and overseeing the services provided,” the APRA chair added.
As a result, APRA has updated its guidance for the businesses it regulates. The regulator today released updated advice on the use of cloud services by banks and financial services businesses.
The updated advice outlines three broad levels of risk associated with cloud computing:
• Low inherent risk: Use of cloud for test and dev, public websites and applications, and data stores with low criticality and sensitivity.
• Heightened inherent risk, including cloud environments with non-financial-services tenants, services or providers with unproven track records, the risk of lock-in, and barriers to business continuity.
• Extreme inherent risk: “Heightened inherent risk arrangements which could, if disrupted, result in an extreme impact. Extreme impacts can be financial and reputational, potentially threatening the ongoing ability of the APRA-regulated entity to meet its obligations.” The regulator cites as an example moving a bank’s core systems to the cloud.
“When the proposed use of cloud computing services involves heightened or extreme inherent risks, APRA encourages consultation prior to entering into any arrangement, regardless of whether offshoring is involved,” the advice states.
“This is to ensure that the APRA-regulated entity understands and has the capability to manage these risks. For clarity, there is no need for consultation with APRA prior to entering into low inherent risk arrangements.”
“The new paper acknowledges advancements in the safety and security in using the cloud, as well as the increased appetite for doing so, especially among new and aspiring entities that want to take a cloud-first approach to data storage and management,” Byres said.
“To be clear, cloud usage is not without risk – but nor is the status quo. In addition to reinforcing steps to minimise the risks of cloud usage, the information paper also summarises observed weaknesses that industry must continue to focus on.
“And while cloud usage, as with all other shared service arrangements, involves a degree of shared responsibility, boards and senior management of regulated entities remain ultimately accountable for the security of their data. That accountability cannot be outsourced.”
Earlier this year the Digital Transformation Agency released a new strategy document that called for increased use of public cloud among government.
Government agencies “should consider public cloud first and in preference to any other cloud deployment model” although they need to ensure that any service “has the appropriate security implementation for the information being handled,” the DTA strategy argues.
Analyst firm Gartner is predicting that Australian organisations will spend around $5.6 billion on public cloud services in 2019 — the bulk of it on software as a service offerings.