Moving to the Cloud: APRA’s Requirements are Simply Good Practice

Specialist consultant, Mark Zanon, advises superannuation funds on meeting their obligations and has investigated the consequences for super funds of moving IT to the Cloud.

This article is based on Mark’s experience in addressing the Australian Prudential Regulation Authority’s (APRA) requirements and recent engagements we have undertaken to assist funds in moving their IT infrastructure to the cloud.

It seems like everyone is moving to the cloud, or at least talking about it. Unfortunately the term “cloud computing” is both misunderstood and misused.

What is Cloud Computing?

The financial services prudential regulator APRA, defines cloud computing loosely as “a delivery model where dedicated or shared IT assets (software, hardware and data/information) are consumed as a service. This can comprise the provision of IT assets by a third party located offshore”¹.

That’s quite general and it might not be the best way to explain the benefits of the cloud to a group such as the board of a superannuation fund. It will be more meaningful to describe some general characteristics:

• Outsourced data storage – At its most basic level, cloud computing involves offsite, and often shared, IT infrastructure. This involves the use of data centres, as opposed to the traditional approach of each client having their own IT servers (located at either at their own premises or co-located in an offshore facility). A client may have their own distinct environment (‘private cloud’) or share this amongst other users (‘public cloud’).
• IT as a service – Common terms such as SaaS, Paas and IaaS (software, platform and infrastructure as a service) are widely used. These are basically the delivery of an application (e.g. email, Microsoft Office, accounting), bundled up with data storage and hosting in one neat package. This is generally offered on a subscription basis, which does away with the need to make big capital outlays on technology.

Common Misconceptions

With the modern and sophisticated nature of cloud computing systems, there are a number of misconceptions that, should they persist, can lead to uninformed decisions being made:

• Data is not secure – The opposite is probably true. The leading IT vendors operate sophisticated data centres that offer systems far more secure than the levels many in-house systems can achieve. They can utilise multiple levels of redundancy including ‘active/active’ that allows for immediate switch over to an alternate site if there are issues with one data centre. If you have particularly sensitive data, this could be maintained in a private cloud. These systems physically, or logically, separates organisational data from other users.
• Data leaves Australia – Many IT vendors, including offshore providers such as Amazon Web Services and Rackspace, have developed local data centres to allow data to be retained on-shore. This is important for financial services organisations that are subject to data sovereignty restrictions. Data being stored offshore is subject to additional oversight by APRA.
• APRA doesn’t allow it – While APRA does have an unnecessarily complicated regulatory framework covering the superannuation industry, there is no prohibition on the use of cloud services. Many funds are already using some elements of cloud computing to support existing applications. APRA’s rules contain a complex series of standards and guidelines and unfortunately there isn’t one specific cloud standard. Instead, there’s reference across the following standards:
  • Outsourcing and offshoring (ref: SPS231 and SPG231)
  • Managing data risk (ref: CPG235)
  • Business continuity management (ref: SPS232 and SPG232)
  • Security risk in IT (ref: CPG234)

As an example, trustee and compliance reporting applications commonly utilise the

Managing APRA’s Expectations

All regulated entities’ licence conditions state they must advise the regulator of outsourcing of any ‘material business activities’. This includes activities, which if disrupted, have the potential to cause a significant impact on business operations or risk management. Depending on the significance of IT applications impacted, a move to cloud computing may fall under this definition.

There is an expectation from the regulator that detailed risk assessments be undertaken covering:

• Service providers/suppliers through commercial arrangements, services, performance criteria and monitoring;
• Technology solution, architecture and alignment to strategy;
• Resilience via business continuity and disaster recovery;
• Business operations including service management, capacity, performance and implementing change;
• Governance, risk and compliance including audit functions and
• IT security and data management, integrity and availability; and
• of delivering the solution.

Your IT governance framework should contain a cloud strategy and appropriate risk management measures in alignment with APRA’s standards and guidelines around due diligence in these areas.

Apply This to Your Cloud Strategy

Build your cloud risk management strategy to manage the relevant risk types per above.

Share these with your cloud suppliers and hold them to the same standards and diligence as the regulator will hold you. Measure their performance and manage your risks.

Share these with APRA. Engage regularly with the regulator especially on any intent to outsource or move to the cloud. Ensure a board-approved outsourcing policy is in place.

APRA is Embracing the Cloud

While the APRA standards and guidelines are complex, they lack a specific cloud reference. Thus understanding their intent should form the basis for your IT risk framework around cloud services.

Sound governance and risk management is essential for any business or technology solution. Why not utilise APRA’s requirements to help manage cloud risks. It’s simply good practice!

¹ APRA’s ‘Letter to Industry – Outsourcing and Offshoring’ 15 Nov 2010