Technology Update: Outsourcing Involving Shared Computing Services for APRA regulate institutions (including Cloud services)

On the 6th July 2015, Australian Prudential Regulation Authority (APRA) released an Information Paper in relation to Outsourcing. It noted that in recent years there has been a significant change in the way that technology is being employed with shared computing services (SCS) being increasingly utilised by a range of business entities.

The trend of sharing information with a large cross-section of entities through SCS, such as data centre facilities, has necessitated the need for a greater degree of caution and supervisory interest to be exercised. While such services offer a range of benefits, such as economies of scale, they also bring a range of associated risks which must be effectively considered and managed.

The Information paper outlines the notification, consultation and risk management requirements and considerations that APRA regulated companies must abide by.

The main purpose of APRA’s information paper is to promote financial stability by requiring APRA-related institutions to manage risk prudently so as to minimise the likelihood of financial losses to depositors, policy holders and superannuation fund members.

In terms of notification and consultation, APRA requires that risks related to outsourcing of data through SCS are adequately understood and managed. In this way, APRA requires that a company wishing to introduce a SCS to demonstrate an ability to:

  • Continue operations and meet obligations following a loss of service;
  • Preserve the quality and security of critical information; and
  • Allow APRA to fulfil its duties as prudential regulator.

In addition, CPS 231 requires an APRA-regulated entity to ‘identify, assess, manage, mitigate and report on risks associated with outsourcing to ensure that it can meet its financial and service obligations to its depositors, policy holders and other stakeholders’.
In terms of notification, APRA-regulated entities are required to notify APRA after entering into a material outsourcing agreement or an outsourcing arrangement where offshoring is involved. The intent behind this is to ensure that APRA-related entities have an adequate capability to understand and manage heightened risk.
In addition to notification and consultation, APRA-related entities must give sufficient consideration to risk management when utilising SCS. According to the Information Paper, such considerations include:

  • Adopting a cautious and measured approach for transition to SCS. This would include clearly describing the relevant risks, assessing the appropriateness of the service for future stages and making a thorough assessment of the capability to oversee and manage the arrangement. In carrying this out, it would be appropriate to conduct a range of risk assessments and scenario analysis to consider plausible security events.
  • Applying an appropriate amount of rigour to the planning of the IT environment and the transition from current state to the desired architecture and operating model.
  • Introducing an effective governance framework that outlines the decision making and oversight responsibilities with respect to outsourcing. It would be the responsibility of this governance authority to ensure the adequacy of risk and control frameworks and understand the consequences if the risks are realised.
  • Ensuring the solution selected minimises risk wherever possible and complies with the established processes for changing the IT environment.
  • Developing a contingency plan that allows for the shared computing service to be transitioned to an alternative provider in an orderly manner, ensuring continuing obligations can be met.
  • Development and maintenance of an ongoing operational and strategic oversite mechanism which facilitates assessment of performance against agreed service levels, allows for an assessment of the ongoing viability of the provider and service, and ensures a timely response to issues and emerging risks. 

Concerning the above, APRA-related entities may seek regular assurance that risk and control frameworks are operating effectively. This assurance would be executed through a formal program of work that facilitates a systematic assessment of the risk and control environment over time. Such a framework would assess:

  • Legal and regulatory compliance
  • The management and oversight arrangement (including reporting mechanisms)
  • IT asset lifecycle management processes
  • Security management
  • Business continuity and disaster recovery management

Therefore, it is clear that the use of SCS by APRA-related entities comes with a maturity of risk management and mitigation techniques. APRA encourages an ongoing dialogue to ensure that prudent practices are in place and risks are effectively mitigated.
In view of the above, it is essential that APRA regulated bodies not only comply with these requirements, but can prove that they have done so. We are happy to assist and conduct an audit of your processes and documents to ensure that, legally, you have in place sufficient safeguards and processes to ensure compliance.

Written by Tal Williams, Partner and Lucy Williams, Paralegal 

Recent Posts