JUMP TO
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIyZWY4ZGE2ZS1hMjAyLTQ2ZmMtYjcxZS1hNDRkMDZhNTZmYmEiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTc0Mjg2NzAwMiwiZXhwIjoxNzQyODY4MjAyLCJpYXQiOjE3NDI4NjcwMDIsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2FwcmEtdXBkYXRlcy1ndWlkYW5jZS1vbi1jbG91ZC1jb21wdXRpbmciLCJhdWQiOiJodHRwczovL3d3dy5taW50ZXJlbGxpc29uLmNvbS9hcnRpY2xlcy9hcHJhLXVwZGF0ZXMtZ3VpZGFuY2Utb24tY2xvdWQtY29tcHV0aW5nIn0.pPGQiNTNiAY04xuADYQSRHVFrHWaFT3t7_E4d5mRcmE
    https://www.minterellison.com/articles/apra-updates-guidance-on-cloud-computing
    CLOSE
    CONTACT US Search Minter Ellison
    • Technical update

    APRA updates guidance on cloud computing

    3 mins  11.10.2018

    APRA has released updated guidance for regulated institutions operating and managing cloud computing services, to assist in enhancing their associated risk management practices.


    Key takeouts


    APRA has relaxed its stance on the use of cloud computing services for critical systems in the context of improving control environments, while cautioning entities against the risks inherent in cloud offerings.

    The regulator is concerned that proposals for Cloud Services are often driven by cost considerations which may not adequately address the customer's specific risk profile.

    APRA plans to formalise the Guidance into new prudential standards and practice guides.

    The Australian Prudential Regulation Authority (APRA) has released its updated guidance: Outsourcing involving cloud computing services (Guidance), which provides APRA-regulated entities with best-practice guidance to assist those entities in mitigating the risks associated with the use of cloud-based IT services (Cloud Services).The Guidance categorises Cloud Services into three broad categories denoting inherent levels of risk (low, heightened and extreme) according to how the technology is to be utilised. It explains APRA's endorsed best-practice approach to customers' internal processes and practices in respect of the procurement of Cloud Services in each risk category. Broadly, the greater the risk level ascribed to the cloud arrangements procured by an entity, the more involved APRA expects to be in the risk management process followed by that entity.

    The Guidance also identifies potential problem areas for regulated entities to identify and address in relation to existing and future Cloud Services, including: 

    • Proposals for Cloud Services driven by cost considerations, which may not adequately address the customer's specific risk profile;
    • Fast-tracked transitions to Cloud Services with an inadequate focus on data migration and transition;
    • Inadequate ongoing oversight and governance processes; and
    • Inadequate contingency plans for disruption and availability issues.

    The Guidance goes on to suggest measures to address these potential problems, such as the conducting of due diligence commensurate with the criticality and/or sensitivity of IT assets, and, where entities are tasked with designing the operating and/or security models for Cloud Services, designing these models from the perspective that the cloud environment is capable of being compromised.

    As cloud technology continues to advance and usage grows, APRA urges regulated entities to assess the adequacy of their internal risk management practices in relation to the use of Cloud Services. Despite the benefits of utilising outsourced cloud-based solutions, APRA notes that availability issues and disruptions to Cloud Services may have material consequences for customers, such as interruption to business operations and difficulties in accessing critical information. 

    Further, Cloud Services may carry an increased risk in terms of the security and confidentiality of a customer's information (which, in the context of APRA-regulated entities, will most often include Personal information). To this end, customers should ensure that the back-up and encryption practices of its cloud providers are adequate and accord with industry best practice.

    APRA encourages regulated entities to review and, where necessary, revise their risk management practices in relation to Cloud Services, with a view to helping those entities ready themselves for the formalisation of the Guidance into new prudential standards and practice guides.

    MinterEllison can assist clients who are looking to use cloud based IT services to understand the endorsed best-practice approach to cloud computing as it relates to APRA-regulated entities. We can further assist clients in ensuring that any transactions they undertake accord with APRA's best practice approach. This ensures that any cloud agreements or other documents entered into by a client, are compliant with the Guidance.

    Contact

    Tags

    Intellect Blog Technology, data and digital Competition, consumer and regulation
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIzOGY0M2EwNi1mNTcxLTQwMmItODg2Yy04NDM4MjQxNzdjZmUiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTc0Mjg2NzAwMiwiZXhwIjoxNzQyODY4MjAyLCJpYXQiOjE3NDI4NjcwMDIsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2FwcmEtdXBkYXRlcy1ndWlkYW5jZS1vbi1jbG91ZC1jb21wdXRpbmciLCJhdWQiOiJodHRwczovL3d3dy5taW50ZXJlbGxpc29uLmNvbS9hcnRpY2xlcy9hcHJhLXVwZGF0ZXMtZ3VpZGFuY2Utb24tY2xvdWQtY29tcHV0aW5nIn0.OxBI2y0M088SSH1cAf0HKvijywyEaSdmCagNJvOJ0c0
    https://www.minterellison.com/articles/apra-updates-guidance-on-cloud-computing

    Read Next

    Point of View: insights into key issues and challenges facing business today.

    In this series of interviews with MinterEllison partners we hear their perspective on key areas of interest to our clients and the business community.

    Watch now

    © 2025 MinterEllison